15.2 Offering a Choice of Authentication Schemes
An HTTP/1.1 server may return multiple challenges with a 401
(Authenticate) response, and each challenge may use a different
Fielding, et. al. Standards Track [Page 140]
�
RFC 2068 HTTP/1.1 January 1997
scheme. The order of the challenges returned to the user agent is in
the order that the server would prefer they be chosen. The server
should order its challenges with the "most secure" authentication
scheme first. A user agent should choose as the challenge to be made
to the user the first one that the user agent understands.
When the server offers choices of authentication schemes using the
WWW-Authenticate header, the "security" of the authentication is only
as malicious user could capture the set of challenges and try to
authenticate him/herself using the weakest of the authentication
schemes. Thus, the ordering serves more to protect the user's
credentials than the server's information.
A possible man-in-the-middle (MITM) attack would be to add a weak
authentication scheme to the set of choices, hoping that the client
will use one that exposes the user's credentials (e.g. password). For
this reason, the client should always use the strongest scheme that
it understands from the choices accepted.
An even better MITM attack would be to remove all offered choices,
and to insert a challenge that requests Basic authentication. For
this reason, user agents that are concerned about this kind of attack
could remember the strongest authentication scheme ever requested by
a server and produce a warning message that requires user
confirmation before using a weaker one. A particularly insidious way
to mount such a MITM attack would be to offer a "free" proxy caching
service to gullible users.
15.3 Abuse of Server Log Information
A server is in the position to save personal data about a user's
requests which may identify their reading patterns or subjects of
interest. This information is clearly confidential in nature and its
handling may be constrained by law in certain countries. People using
the HTTP protocol to provide data are responsible for ensuring that
such material is not distributed without the permission of any
individuals that are identifiable by the published results.
15.4 Transfer of Sensitive Information
Like any generic data transfer protocol, HTTP cannot regulate the
content of the data that is transferred, nor is there any a priori
method of determining the sensitivity of any particular piece of
information within the context of any given request. Therefore,
applications SHOULD supply as much control over this information as
possible to the provider of that information. Four header fields are
worth special mention in this context: Server, Via, Referer and From.
Fielding, et. al. Standards Track [Page 141]
�
RFC 2068 HTTP/1.1 January 1997
Revealing the specific software version of the server may allow the
server machine to become more vulnerable to attacks against software
that is known to contain security holes. Implementers SHOULD make the
Server header field a configurable option.
Proxies which serve as a portal through a network firewall SHOULD
take special precautions regarding the transfer of header information
that identifies the hosts behind the firewall. In particular, they
SHOULD remove, or replace with sanitized versions, any Via fields
generated behind the firewall.
The Referer field allows reading patterns to be studied and reverse
links drawn. Although it can be very useful, its power can be abused
if user details are not separated from the information contained in
the Referer. Even when the personal information has been removed, the
Referer field may indicate a private document's URI whose publication
would be inappropriate.
The information sent in the From field might conflict with the user's
privacy interests or their site's security policy, and hence it
SHOULD NOT be transmitted without the user being able to disable,
enable, and modify the contents of the field. The user MUST be able
to set the contents of this field within a user preference or
application defaults configuration.
We suggest, though do not require, that a convenient toggle interface
be provided for the user to enable or disable the sending of From and
Referer information.