idnits 2.17.1 draft-ietf-httpbis-security-properties-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 16. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 383. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 394. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 401. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 407. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (January 23, 2008) is 5938 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 2109 (Obsoleted by RFC 2965) ** Obsolete normative reference: RFC 2145 (Obsoleted by RFC 7230) ** Obsolete normative reference: RFC 2616 (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) ** Obsolete normative reference: RFC 2617 (Obsoleted by RFC 7235, RFC 7615, RFC 7616, RFC 7617) ** Obsolete normative reference: RFC 2965 (Obsoleted by RFC 6265) Summary: 7 errors (**), 0 flaws (~~), 1 warning (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Hoffman 3 Internet-Draft VPN Consortium 4 Intended status: Informational A. Melnikov 5 Expires: July 26, 2008 Isode Ltd. 6 January 23, 2008 8 Security Requirements for HTTP 9 draft-ietf-httpbis-security-properties-00.txt 11 Status of this Memo 13 By submitting this Internet-Draft, each author represents that any 14 applicable patent or other IPR claims of which he or she is aware 15 have been or will be disclosed, and any of which he or she becomes 16 aware will be disclosed, in accordance with Section 6 of BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on July 26, 2008. 36 Copyright Notice 38 Copyright (C) The IETF Trust (2008). 40 Abstract 42 Recent IESG practice dictates that IETF protocols must specify 43 mandatory-to-implement security mechanisms, so that all conformant 44 implementations share a common baseline. This document examines all 45 widely deployed HTTP security technologies, and analyzes the trade- 46 offs of each. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 51 2. Existing HTTP Security Mechanisms . . . . . . . . . . . . . . 3 52 2.1. Forms And Cookies . . . . . . . . . . . . . . . . . . . . 3 53 2.2. HTTP Access Authentication . . . . . . . . . . . . . . . . 4 54 2.2.1. Basic Authentication . . . . . . . . . . . . . . . . . 4 55 2.2.2. Digest Authentication . . . . . . . . . . . . . . . . 5 56 2.2.3. Other Access Authentication Schemes . . . . . . . . . 6 57 2.3. Centrally-Issued Tickets . . . . . . . . . . . . . . . . . 6 58 2.4. Web Services . . . . . . . . . . . . . . . . . . . . . . . 6 59 2.5. Transport Layer Security . . . . . . . . . . . . . . . . . 6 60 3. Revisions To HTTP . . . . . . . . . . . . . . . . . . . . . . 7 61 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 62 5. Normative References . . . . . . . . . . . . . . . . . . . . . 7 63 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 8 64 Appendix B. Document History . . . . . . . . . . . . . . . . . . 8 65 B.1. Changes between draft-sayre-http-security-variance-00 66 and draft-ietf-http-security-properties-00 . . . . . . . . 8 67 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9 68 Intellectual Property and Copyright Statements . . . . . . . . . . 10 70 1. Introduction 72 Recent IESG practice dictates that IETF protocols are required to 73 specify mandatory to implement security mechanisms. "The IETF 74 Standards Process" [RFC2026] does not require that protocols specify 75 mandatory security mechanisms. "Strong Security Requirements for 76 IETF Standard Protocols" [RFC3365] requires that all IETF protocols 77 provide a mechanism for implementors to provide strong security. RFC 78 3365 does not define the term "strong security". 80 "Security Mechanisms for the Internet" [RFC3631] is not an IETF 81 procedural RFC, but it is perhaps most relevant. Section 2.2 states: 83 We have evolved in the IETF the notion of "mandatory to implement" 84 mechanisms. This philosophy evolves from our primary desire to 85 ensure interoperability between different implementations of a 86 protocol. If a protocol offers many options for how to perform a 87 particular task, but fails to provide for at least one that all 88 must implement, it may be possible that multiple, non-interoperable 89 implementations may result. This is the consequence of the 90 selection of non-overlapping mechanisms being deployed in the 91 different implementations. 93 This document examines the effects of applying security constraints 94 to Web applications, documents the properties that result from each 95 method, and will make Best Current Practice recommendations for HTTP 96 security in a later document version. At the moment, it is mostly a 97 laundry list of security technologies and tradeoffs. 99 2. Existing HTTP Security Mechanisms 101 For HTTP, the IETF generally defines "security mechanisms" as some 102 combination of access authentication and/or a secure transport. 104 2.1. Forms And Cookies 106 Almost all HTTP authentication is accomplished through HTML forms, 107 with session keys stored in cookies. For cookies, most 108 implementations rely on the "Netscape specification", which is 109 described loosely in section 10 of "HTTP State Management Mechanism" 110 [RFC2109]. The protocol in RFC 2109 is relatively widely 111 implemented, but most clients don't advertise support for it. RFC 112 2109 was later updated [RFC2965], but the newer version is not widely 113 implemented. 115 Forms and cookies have number of properties that make them an 116 excellent solution for some implementors. However, many of those 117 properties introduce serious security trade-offs. 119 HTML forms provide a large degree of control over presentation, which 120 is an imperative for many websites. However, this increases user 121 reliance on the appearance of the interface. Many users do not 122 understand the construction of URIs [RFC3986], or their presentation 123 in common clients [[ CITATION NEEDED ]]. As a result, forms are 124 extremely vulnerable to spoofing. 126 HTML forms provide acceptable internationalization if used carefully, 127 at the cost of being transmitted as normal HTTP content in all cases 128 (credentials are not differentiated in the protocol). 130 HTML forms provide a facility for sites to indicate that a password 131 should never be pre-populated. [[ More needed here on autocomplete ]] 133 The cookies that result from a successful form submission make it 134 unessecary to validate credentials with each HTTP request; this makes 135 cookies an excellent property for scalability. Cookies are 136 susceptible to a large variety of XSS (cross-site scripting) attacks, 137 and measures to prevent such attacks will never be as stringent as 138 necessary for authentication credentials because cookies are used for 139 many purposes. Cookies are also susceptible to a wide variety of 140 attacks from malicious intermediaries and observers. The possible 141 attacks depend on the contents of the cookie data. There is no 142 standard format for most of the data. 144 HTML forms and cookies provide flexible ways of ending a session from 145 the client. 147 HTML forms require an HTML rendering engine, which many protocols 148 have no use for. 150 2.2. HTTP Access Authentication 152 HTTP 1.1 provides a simple authentication framework, and "HTTP 153 Authentication: Basic and Digest Access Authentication" [RFC2617] 154 defines two optional mechanisms. Both of these mechanisms are 155 extremely rarely used in comparison to forms and cookies, but some 156 degree of support for one or both is available in many 157 implementations. Neither scheme provides presentation control, 158 logout capabilities, or interoperable internationalization. 160 2.2.1. Basic Authentication 162 Basic Authentication (normally called just "Basic") transmits 163 usernames and passwords in the clear. It is very easy to implement, 164 but not at all secure unless used over a secure transport. 166 Basic has very poor scalability properties because credentials must 167 be revalidated with every request, and because secure transports 168 negate many of HTTP's caching mechanisms. Some implementations use 169 cookies in combination with Basic credentials, but there is no 170 standard method of doing so. 172 Since Basic credentials are clear text, they are reusable by any 173 party. This makes them compatible with any authentication database, 174 at the cost of making the user vulnerable to mismanaged or malicious 175 servers, even over a secure channel. 177 Basic is not interoperable when used with credentials that contain 178 characters outside of the ISO 8859-1 repertoire. 180 2.2.2. Digest Authentication 182 In Digest Authentication, the client transmits the results of hashing 183 user credentials with properties of the request and values from the 184 server challenge. Digest is susceptible to man-in-the-middle attacks 185 when not used over a secure transport. 187 Digest has some properties that are preferable to Basic and Cookies. 188 Credentials are not immediately reusable by parties that observe or 189 receive them, and session data can be transmitted along side 190 credentials with each request, allowing servers to validate 191 credentials only when absolutely necessary. Authentication data 192 session keys are distinct from other protocol traffic. 194 Digest includes many modes of operation, but only the simplest modes 195 enjoy any degree of interoperability. For example, most 196 implementations do not implement the mode that provides full message 197 integrity. Additionally, implementation experience has shown that 198 the message integrity mode is impractical because it requires servers 199 to analyze the full request before determining whether the client 200 knows the shared secret. 202 Digest is extremely susceptible to offline dictionary attacks, making 203 it practical for attackers to perform a namespace walk consisting of 204 a few million passwords [[ CITATION NEEDED ]]. 206 Many of the most widely-deployed HTTP/1.1 clients are not compliant 207 when GET requests include a query string [Apache_Digest]. 209 Digest either requires that authentication databases be expressly 210 designed to accomodate it, or requires access to cleartext passwords. 211 As a result, many authentication databases that chose to do the 212 former are incompatible, including the most common method of storing 213 passwords for use with Forms and Cookies. 215 Many Digest capabilities included to prevent replay attacks expose 216 the server to Denial of Service attacks. 218 Digest is not interoperable when used with credentials that contain 219 characters outside of the ISO 8859-1 repertoire. 221 2.2.3. Other Access Authentication Schemes 223 There are many niche schemes that make use of the HTTP Authentication 224 framework, but very few are well documented. Some are bound to 225 transport layer connections. 227 2.2.3.1. Negotiate (GSS-API) Authentication 229 [[ A discussion about "SPNEGO-based Kerberos and NTLM HTTP 230 Authentication in Microsoft Windows" [RFC4559] goes here.]] 232 2.3. Centrally-Issued Tickets 234 Many large Internet services rely on authentication schemes that 235 center on clients consulting a single service for a time-limited 236 ticket that is validated with undocumented heuristics. Centralized 237 ticket issuing has the advantage that users may employ one set of 238 credentials for many services, and clients don't send credentials to 239 many servers. This approach is often no more than a sophisticated 240 application of forms and cookies. 242 All of the schemes in wide use are proprietary and non-standard, and 243 usually are undocumented. There are many standardization efforts in 244 progress, as usual. 246 2.4. Web Services 248 Many security properties mentioned in this document have been recast 249 in XML-based protocols, using HTTP as a substitute for TCP. Like the 250 amalgam of HTTP technologies mentioned above, the XML-based protocols 251 are defined by an ever-changing combination of standard and vendor- 252 produced specifications, some of which may be obsoleted at any time 253 [WS-Pagecount] without any documented change control procedures. 254 These protocols usually don't have much in common with the 255 Architecture of the World Wide Web. It's not clear why term "Web" is 256 used to group them, but they are obviously out of scope for HTTP- 257 based application protocols. 259 2.5. Transport Layer Security 261 [[ A discussion of HTTP over TLS needs to be added here. ]] 263 [[ Discussion of connection confidentiality should be separate from 264 the discussion of access authentication based on mutual 265 authentication with certificates in TLS. ]] 267 3. Revisions To HTTP 269 Is is possible that HTTP will be revised in the future. "HTTP/1.1" 270 [RFC2616] and "Use and Interpretation of HTTP Version Numbers" 271 [RFC2145] define conformance requirements in relation to version 272 numbers. In HTTP 1.1, all authentication mechanisms are optional, 273 and no single transport substrate is specified. Any HTTP revision 274 that adds a mandatory security mechanism or transport substrate will 275 have to increment the HTTP version number appropriately. All widely 276 used schemes are non-standard and/or proprietary. 278 4. Security Considerations 280 This entire document is about security considerations. 282 5. Normative References 284 [Apache_Digest] 285 Apache Software Foundation, "Apache HTTP Server - 286 mod_auth_digest", . 289 [RFC2026] Bradner, S., "The Internet Standards Process -- Revision 290 3", BCP 9, RFC 2026, October 1996. 292 [RFC2109] Kristol, D. and L. Montulli, "HTTP State Management 293 Mechanism", RFC 2109, February 1997. 295 [RFC2145] Mogul, J., Fielding, R., Gettys, J., and H. Nielsen, "Use 296 and Interpretation of HTTP Version Numbers", RFC 2145, 297 May 1997. 299 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., 300 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext 301 Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. 303 [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., 304 Leach, P., Luotonen, A., and L. Stewart, "HTTP 305 Authentication: Basic and Digest Access Authentication", 306 RFC 2617, June 1999. 308 [RFC2965] Kristol, D. and L. Montulli, "HTTP State Management 309 Mechanism", RFC 2965, October 2000. 311 [RFC3365] Schiller, J., "Strong Security Requirements for Internet 312 Engineering Task Force Standard Protocols", BCP 61, 313 RFC 3365, August 2002. 315 [RFC3631] Bellovin, S., Schiller, J., and C. Kaufman, "Security 316 Mechanisms for the Internet", RFC 3631, December 2003. 318 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 319 Resource Identifier (URI): Generic Syntax", STD 66, 320 RFC 3986, January 2005. 322 [RFC4559] Jaganathan, K., Zhu, L., and J. Brezak, "SPNEGO-based 323 Kerberos and NTLM HTTP Authentication in Microsoft 324 Windows", RFC 4559, June 2006. 326 [WS-Pagecount] 327 Bray, T., "WS-Pagecount", September 2004, . 330 Appendix A. Acknowledgements 332 Much of the material in this document was written by Rob Sayre, who 333 first promoted the topic. 335 Appendix B. Document History 337 [This entire section is to be removed when published as an RFC.] 339 B.1. Changes between draft-sayre-http-security-variance-00 and 340 draft-ietf-http-security-properties-00 342 Changed the authors to Paul Hoffman and Alexey Melnikov, with 343 permission of Rob Sayre. 345 Made lots of minor editorial changes. 347 Removed what was section 2 (Requirements Notation), the reference to 348 RFC 2119, and any use of 2119ish all-caps words. 350 In 3.2.1 and 3.2.2, changed "Latin-1 range" to "ISO 8859-1 351 repertoire" to match the defintion of "TEXT" in RFC 2616. 353 Added minor text to the Security Considerations section. 355 Added URLs to the two non-RFC references. 357 Authors' Addresses 359 Paul Hoffman 360 VPN Consortium 362 Email: paul.hoffman@vpnc.org 364 Alexey Melnikov 365 Isode Ltd. 367 Email: alexey.melnikov@isode.com 369 Full Copyright Statement 371 Copyright (C) The IETF Trust (2008). 373 This document is subject to the rights, licenses and restrictions 374 contained in BCP 78, and except as set forth therein, the authors 375 retain all their rights. 377 This document and the information contained herein are provided on an 378 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 379 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 380 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 381 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 382 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 383 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 385 Intellectual Property 387 The IETF takes no position regarding the validity or scope of any 388 Intellectual Property Rights or other rights that might be claimed to 389 pertain to the implementation or use of the technology described in 390 this document or the extent to which any license under such rights 391 might or might not be available; nor does it represent that it has 392 made any independent effort to identify any such rights. Information 393 on the procedures with respect to rights in RFC documents can be 394 found in BCP 78 and BCP 79. 396 Copies of IPR disclosures made to the IETF Secretariat and any 397 assurances of licenses to be made available, or the result of an 398 attempt made to obtain a general license or permission for the use of 399 such proprietary rights by implementers or users of this 400 specification can be obtained from the IETF on-line IPR repository at 401 http://www.ietf.org/ipr. 403 The IETF invites any interested party to bring to its attention any 404 copyrights, patents or patent applications, or other proprietary 405 rights that may cover technology that may be required to implement 406 this standard. Please address the information to the IETF at 407 ietf-ipr@ietf.org. 409 Acknowledgment 411 Funding for the RFC Editor function is provided by the IETF 412 Administrative Support Activity (IASA).