[tor-bugs] #3748 [TorBrowserButton]: Isolate HTTP Auth to top-level domain

Sat Aug 27 19:19:02 UTC 2011

#3748: Isolate HTTP Auth to top-level domain
------------------------------+---------------------------------------------
 Reporter:  mikeperry         |          Owner:  mikeperry                    
     Type:  defect            |         Status:  new                          
 Priority:  major             |      Milestone:  TorBrowserBundle 2.2.x-stable
Component:  TorBrowserButton  |        Version:                               
 Keywords:                    |         Parent:                               
   Points:                    |   Actualpoints:                               
------------------------------+---------------------------------------------

Comment(by gk):

 > Georg - I noticed you strip off the WWW-Authenticate header from 3rd
 party responses. Does that serve any security purpose, or does it exist
 just to prevent 3rd parties from being able to open auth prompts?
 I does serve a security purpose. If one would not do this 3rd party sites
 would be able to track users without notice, i.e. without creating an auth
 prompt at all, until one isolates HTTP auth to the urlbar. The status quo
 is by far not perfect but was the only solution I was capable of
 implementing within a short timeframe.
 > I am thinking that we might want the auth prompts to show up. They would
 be evidence of a tracking attack using this mechanism. If the adversary
 doesn't get the Authenticate header they want and then sets WWW-
 Authenticate, the browser would effectively be alerting the user that the
 site is trying to track them.
 We were pondering that question and, yes, it is quite appealing to show
 the auth prompts. And basically you get that feature for free already if
 you do not strip off the 3rd party response headers but the 3rd party
 request headers (meaning: "Authorization: ..."). The thing is getting e.g.
 a 401 back from the server while there are already proper authentication
 tokens in the cache makes Firefox "think" that there might something wrong
 here and an auth prompt shows up. The big problem is to explain to the
 normal user what is going on. If they just surf the web and suddenly get
 an auth prompt I bet almost nobody knows what to do here. One solution
 that comes to my mind would be to somehow hook int these dialogs and show
 e.g. a red warning text. While hooking into dialogs is not a problem I
 fear that it is hard to get just those we want.
 > It might also help users diagnose issues in the event that this feature
 breaks some other site that requires 3rd party auth.
 While I cannot imagine that one really needs this kind of authentication I
 can imagine that some people have already implemented it. And therefore,
 yes, that may help debugging as well. Hence, if we solve the above problem
 with transporting the issue to John Doe iff there is a 3rd party tracking
 risk than I am in favor of getting an auth prompt at any rate.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3748#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online