WingNews logo WingNews
top | item 36105546

(no title)

mLuby | 2 years ago

> We just need to take away the developer's choice and force them to integrate

Who's we? Who are they integrating with? A protocol? A business? A government?

This has been tried in a multitude of ways. There's always a bit too much friction or cost.

discuss

order

c4mpute|2 years ago

Also, all the standards were crap.

HTTP got basic auth, which is crap because plaintext password transmission happens, also the browsers never got around to implement any sensible UI (e.g. you cannot log off). Then it got digest auth, which at least wasn't plaintext in transmission, but required plaintext password storage on the server. Then came negotiate, which only worked with some proprietary products, had even worse UI and was unusable outside a company's internal net.

Alongside that, there was HTTPS client auth, where, instead of fixing known problems, standards devolved into "sorry, we don't support that anymore". Also, the UI was crap.

Alongside that, there are homegrown methods using web forms, cookies, a lot of spit and maybe some javascript, which everyone uses atm. Everyone rolls their own, because over decades, standard bodies couldn't get their shit together. Also, everyone suffered from the corresponding attacks on all the weak and broken homegrown crap out there.

There is friction and cost, but those come from a lack of trying and a lack of giving a fuck by the people building web browsers, web servers and web standards. They basically declared the problem solved after the invention of cookies.

singpolyma3|2 years ago

Since everything is TLS now, basic auth no longer transmits in the clear. But I agree browser vendors have refused to bother putting in even the bare minimum of effort for years. I've been subscribed to the firefox ticket to allow http auth logout for my entire adult life.

mjec|2 years ago

> HTTP got basic auth, which is crap because plaintext password transmission happens...

Plaintext submission happens with HTML forms too. The problem with Basic is the password goes with every request. That means you're exposing a long term credential to a higher risk. We want to exchange the long term credential for a short term one, ideally scope limited. That is far less catastrophic to revoke, and gives you some power of granularity (you can at the very least have some operations prompt for the password again). It also means you can limit risk on the server: only one page has access to the long term credentials, which can be more easily audited, or even hosted on dedicated servers.

WebAuthn has been the real savior here. Real cryptography has always been desirable for this, and removing per-site passwords is honestly just a bonus.

waste_monk|2 years ago

>also the browsers never got around to implement any sensible UI (e.g. you cannot log off)

FWIW in firefox you can go to "clear recent history" and then uncheck everything but "active logins". This will wipe out any currently logged in basic auth.