search

WebKit / standards-positions

WebKit's positions on emerging web specifications
https://webkit.org/standards-positions/
241 stars 19 forks source link

RFC7616: Support #212

Open rojer opened 1 year ago

rojer commented 1 year ago

WebKittens

No response

Title of the spec

RFC 7616 Digest auth: Support SHA-256, SHA-512-256 and user hashing

URL to the spec

https://datatracker.ietf.org/doc/html/rfc7616

URL to the spec's repository

No response

Issue Tracker URL

https://bugs.chromium.org/p/chromium/issues/detail?id=1160478

Explainer URL

No response

TAG Design Review URL

No response

Mozilla standards-positions issue URL

No response

WebKit Bugzilla URL

No response

Radar URL

No response

Description

Blink intends to add support for modern digest algorithms for the HTTP digest authentication, as specified in RFC 7616. No major impact is expected, and Firefox already supports them since 93. I've been asked to seek WebKit's opinion on the matter. For reference, the Chrome status entry is here, blink-dev discussion thread is here. Proposed code change is here.

annevk commented 1 year ago

Discussing this with colleagues it's been our hope to eventually be able to deprecate HTTP authentication. So it's a bit surprising to see continued investment from Google.

Could you please elaborate on the motivation behind this?

miketaylr commented 1 year ago

So it's a bit surprising to see continued investment from Google.

This issue (and the related intent) wasn't sent by a Google employee - so the "from: Google" label is incorrect.

annevk commented 1 year ago

Thank you for the correction! I guess we should be following blink-dev to figure out what Google thinks of this.

rojer commented 1 year ago

@annevk yeah, i'm not affiliated with Google. HTTP digest authentication is still useful and being useful on small footprint devices as an easy way of securing access to a web UI. in particular, TLS+basic is usually not available there due to lack of a trusted certificate, TLS implementation or both, and digest gives at least a modest improvement over plain basic or form-based authentication. our company produces small-footprint devices, and i would like us to eventually move to a better digest algorithm than MD5, that's all.

annevk commented 1 year ago

It's not clear to me how you can be safe from network attackers without TLS?

rojer commented 1 year ago

with plain basic or general cookie auth network attacker gains persistence: they can intercept the credentials and maintain access even after they no longer have access to network traffic. so it's not absolute protection but fair bit better than sending credentials in plain.