[Zope-dev] question: forcing https for authentication

Jamie Heilman jamie@audible.transient.net
Thu, 16 Jan 2003 10:58:50 -0800 

Oliver Bleutgen wrote:
> One thing that bothers me is that I cannot reliably (as in "in a generic 
> way which always works") prevent users from sending their authentication 
> unencrypted.

Well its true you can't prevent users from compromising their
credentials, but you can prevent users from coming in the wrong door,
as it were.  I'm not clear on which one you really hope to accomplish,
though from your proposed modifications it looks like the latter.
Preventing users from compromising their creds can only be effectively
done through education.  For example, even if you used client
certificates (which, afaik, are only used once an encrypted channel
has been established) instead of basic auth there's nothing to stop a
user from giving their cert and any requisite ancillary usage
information (like the passphrase to decrypt it) to somebody else.

> The only ideas I have to tackle this without modifying zope itself are
> 
> - customize all pages which need authentication to check for "https://" 
> in one of the relevant REQUEST attributes and do a redirect if not.
> - use apache with some magic to trigger redirection if it encounters 
> authentication headers in the request.
> - use apache with some rewrite magic trigger redirection when a 
> substring like "manage" is found in the request.
> 
> These alternatives are neither elegant, nor really secure.

I would agree the first two aren't sane, the third however is as good
and as secure as you're going to get.  Techniques for accomplishing it
have been discussed on the zope list before and are undoubtedly in the
archives.  The mods you've posted with respect to guarding the
WWW-Authenticate header aren't likely to work, and certainly wouldn't
be flexible enough to allow, for example, mandating SSL usage for all
/manage* requests while allowing clear-text basic auth for other
restricted areas.  Apache rewrite rules OTOH are flexible enough to
allow this.  I'm unclear as to why you consider it to be insecure,
care to elaborate?

-- 
Jamie Heilman                   http://audible.transient.net/~jamie/
"Most people wouldn't know music if it came up and bit them on the ass."
                                                        -Frank Zappa