Technical

Upgrading the Plumbing

Thomas Powell

Infrastructure both online and offline becomes outdated or outmoded, and the core protocol of Web transmission – HTTP – is no exception. For years, Web developers have been both successful and stymied by this simple, stateless protocol. For example, consider the issue of authentication under HTTP. Basic Authentication should be familiar to readers as that which uses the ugly browser dialog box challenge:

logings

The mere fact that the login prompts are ugly gets some people to avoid this approach. Yet even worse, security-wise basic authentication isn’t a terribly great way to protect things because passwords are sent in a simple Base-64 encoded format (basically plain-text).

in the clear

If you aren’t using SSL you are pretty much exposed out in the open. Yikes!

Now you could employ Digest style authentication which would look the same in the prompted sense but would pass a secured hash of the password. Unfortunately this is poorly implemented in browsers and servers, so few people employ it.

Even if you just dealt with HTTP authentication you run into other problems, the first being how do you actually log out with HTTP authentication? The easy answer is you can’t; the more subtle answer is you kind of can depending on browser and technology in play. At best the solution is messy. Now why you should care might not be obvious, but without logout you are subject to potential CSRF attacks against a previously authenticated site you may have visited. Very dangerous stuff!

The rough edges of HTTP authentication encourages most folks to turn to form-cookie based authentication systems. Of course such systems have their problems. While you can customize them to your heart’s content, the usage of cookies has problems in terms of session hijacking as well as user’s being paranoid of the privacy implications of the technology. If we could rid ourselves of cookies for authentication we would close a number of common attacks and refocus user’s privacy fears towards the actual bad use of such technologies.

Ok so the trade-off for Web authentication isn’t great – what does all this have to do with the plumbing of the Web? Well this type of ugliness and other problems might be fixed someday! HTTP is finally going to get an overhaul. The only question is how much? Recently the IETF took up discussing HTTP again and the camps are forming quickly. One camp says we make some small changes and tighten the protocol down (see http://tools.ietf.org/html/draft-lafon-rfc2616bis-03). Another camp is saying let’s fix this horribly old mechanism that does not address the security, commerce and transport challenges of today.

I see the merits of both arguments and think it is likely that both will end up being done – the short term changes being made and the long term acknowledgment that HTTP 1.1 really does need a pretty major upgrade. However, don’t hold your breath, both upgrades could still take a while to come to fruition. This is a pretty massive overhaul and if the adoption of IPv6 is any guide maybe your children will use the new protocols.

Related Articles

Designing for Digital and Print

Having consistent messaging, look, and feel is essential to providing a seamless experience for users. Translating that across digital and print can be a challenge. ...

Rob McFarlane
By Rob McFarlane
Oct 29th, 2018

All The Tests: PINT’s Overview of Web Testing

To help you get started with testing, we’ve compiled some of the basics: Types of Tests you’ll want to consider and the concept of The Testing Pyramid. ...

Preston Resenbeck
By Preston Resenbeck
Sep 18th, 2018

Tell us about your project

Please fill out your information and submit
X