I'd be interested to hear thoughts on HTTP digest auth as an alternative to full end-to-end encryption for avoiding these attacks.
Personally I'm hopeful that Firesheep will be what it takes to persuade browser vendors (and the HTML5 crowd) that real usable support for HTML login forms based on HTTP digest authentication is a necessity.
There are some pretty significant issues involved in rolling out full-on SSL which while not insurmountable do lead one to wonder if a more lightweight solution like HTTP digest auth might be sufficient for most non-security-critical cases.
Definitely. The hardest thing to sell, when it comes to regular HTTP digest auth, is the user interface. People (clients) truly prefer pretty and insecure over ugly and secure.
For sure. Hence the need for browser vendors to provide hooks - via new HTML5 form attributes, a Javascript API, or ideally both, to enable us to develop our own, usable HTML-based session login and logout forms with HTTP auth.
This is incredibly necessary for HTTP authentication to be useful, and bizarrely, has been given little to no attention over the years. There's a proposal for HTTP authentication in HTML dating all the way back to 1999:
Also, HTTP authentication is a benefit to RESTful service design. Cookies have always been the wrong solution to this problem, having all web services to move to HTTPS feels like missing the point.
It's all been discussed by WHATWG/W3C and the conclusion was that cookies have too large momentum, Digest is not secure enough, and everyone should be using HTTPS.
Digest is vulnerable to MITM attacks. It's only secure against passive sniffing, but if you can sniff, you usually can also modify response, spoof DNS/ARP/base station. If everyone switched to Digest, it would be only a matter of time when someone writes Digest-stripping Firesheep2.
1. Even if Facebook used HTTP digest auth for people logging into facebook.com, I don't see how I could use HTTP digest auth for people logging into my website using their Facebook ID. (Also for OpenID, signing in with Twitter, etc.)
2. As a pragmatic matter, it seems more likely that Microsoft would update the various versions of Internet Explorer on Windows XP to support SNI, than that all web browsers (including Internet Explorer on Windows XP) would be updated to support HTTP digest auth with a customisable UI.
Having said that, I'm in favour of web browsers supporting both technologies.
> In the past, an SSL service required a dedicated IP address. This isn’t true any more with the advent of Server Name Indication (RFC 3546) and improvements in TLS.
Since all of the browsers on Windows XP use the Windows SChannel API none of them support SNI. That includes the beloved Google Chrome, FireFox, and Safari. (Not sure about Opera on Windows XP)
That is unfortunately an issue that only Microsoft can rectify unless developers on the Windows platform want to take the time and effort to re-implement parts of the SChannel API.
My apologies regarding FireFox. I don't use FireFox and when I do it is from a Mac OS X machine.
Either way Internet Explorer doesn't support it and as such it is still a no-go from a usability stand point since XP still has such a large market share.
If you used cookies with HTTP-only and secure flags, then cookies alone should be safe, but the site wouldn't.
Someone could sniff login forms via injected scripts (XSS = game over) and modify page's content via unprotected CSS and images (which aids phishing, clickjacking).
Personally I'm hopeful that Firesheep will be what it takes to persuade browser vendors (and the HTML5 crowd) that real usable support for HTML login forms based on HTTP digest authentication is a necessity.
There are some pretty significant issues involved in rolling out full-on SSL which while not insurmountable do lead one to wonder if a more lightweight solution like HTTP digest auth might be sufficient for most non-security-critical cases.
On this topic http://www.cgisecurity.com/2010/01/weaning-the-web-off-of-se...
is worth a read.