14.46 WWW-Authenticate
The WWW-Authenticate response-header field MUST be included in 401
(Unauthorized) response messages. The field value consists of at
least one challenge that indicates the authentication scheme(s) and
parameters applicable to the Request-URI.
WWW-Authenticate = "WWW-Authenticate" ":" 1#challenge
The HTTP access authentication process is described in section 11.
User agents MUST take special care in parsing the WWW-Authenticate
field value if it contains more than one challenge, or if more than
one WWW-Authenticate header field is provided, since the contents of
a challenge may itself contain a comma-separated list of
authentication parameters.
15 Security Considerations
This section is meant to inform application developers, information
providers, and users of the security limitations in HTTP/1.1 as
described by this document. The discussion does not include
definitive solutions to the problems revealed, though it does make
some suggestions for reducing security risks.
15.1 Authentication of Clients
The Basic authentication scheme is not a secure method of user
authentication, nor does it in any way protect the entity, which is
transmitted in clear text across the physical network used as the
carrier. HTTP does not prevent additional authentication schemes and
encryption mechanisms from being employed to increase security or the
addition of enhancements (such as schemes to use one-time passwords)
to Basic authentication.
Fielding, et. al. Standards Track [Page 139]
�
RFC 2068 HTTP/1.1 January 1997
The most serious flaw in Basic authentication is that it results in
the essentially clear text transmission of the user's password over
the physical network. It is this problem which Digest Authentication
attempts to address.
Because Basic authentication involves the clear text transmission of
passwords it SHOULD never be used (without enhancements) to protect
sensitive or valuable information.
A common use of Basic authentication is for identification purposes
-- requiring the user to provide a user name and password as a means
of identification, for example, for purposes of gathering accurate
usage statistics on a server. When used in this way it is tempting to
think that there is no danger in its use if illicit access to the
protected documents is not a major concern. This is only correct if
the server issues both user name and password to the users and in
particular does not allow the user to choose his or her own password.
The danger arises because naive users frequently reuse a single
password to avoid the task of maintaining multiple passwords.
If a server permits users to select their own passwords, then the
threat is not only illicit access to documents on the server but also
illicit access to the accounts of all users who have chosen to use
their account password. If users are allowed to choose their own
password that also means the server must maintain files containing
the (presumably encrypted) passwords. Many of these may be the
account passwords of users perhaps at distant sites. The owner or
administrator of such a system could conceivably incur liability if
this information is not maintained in a secure fashion.
Basic Authentication is also vulnerable to spoofing by counterfeit
servers. If a user can be led to believe that he is connecting to a
host containing information protected by basic authentication when in
fact he is connecting to a hostile server or gateway then the
attacker can request a password, store it for later use, and feign an
error. This type of attack is not possible with Digest Authentication
[32]. Server implementers SHOULD guard against the possibility of
this sort of counterfeiting by gateways or CGI scripts. In particular
it is very dangerous for a server to simply turn over a connection to
a gateway since that gateway can then use the persistent connection
mechanism to engage in multiple transactions with the client while
impersonating the original server in a way that is not detectable by
the client.