[DAS] HTTP Authentication Plug

Andreas Kahari ak at ebi.ac.uk
Wed Oct 29 10:59:17 UTC 2008


On Wed, Oct 29, 2008 at 10:10:38AM +0000, Dave Howorth wrote:
> Steven Blanchard wrote:
> > Cons of HTTP Authentication 
> ...
> > - The challenge/response design of HTTP authentication--sending a 401
> >   Authorization Required when accessing a secured URL--would leak
> >   sensitive information. (can be mitigated)
> ...
> > - Basic authentication transmits the user name and password in the clear
> >   for every request
> 
> I think there is an issue that would need to be checked with lawyers, at
> least for people who are UK-government sponsored and are proposing to
> implement authentication for the first time.
> 
> Those affected will know that since the well-publicised leaks of private
> data by public organizations in the UK, research councils have [been
> made to] increased supervision of the data protection laws, with
> requirements for encryption of disks etc.
> 
> It's my understanding (though I am not a lawyer :) that storing a
> username together with a password consitutes 'private data' and that any
> database or other mechanism used to store that information would
> therefore need to be registered with your organisation and be audited. I
> also understand that ignoring the requirement is a sacking offence, at
> least where I work.

Most password authentication software does not store plain text
passwords, only checksums (e.g. MD5 or SHA1) of passwords.  This is the
case on modern UNIX and UNIX-like operating systems (for user login
authentication) as well as for most software systems supporting password
authentication, for example Apache (see manual for htpasswd).

Regards,
Andreas

> 
> This seems like a very powerful incentive to avoid designing any system
> that requires local storage of passwords, especially since the content
> being served does not itself usually contain any 'private data' that
> needs protecting. So it seems to me that a better and ultimately simpler
> solution is one that offloads all personal passwords to dedicated
> servers designed for the purpose and implemented and supported by IT
> security teams.
> 
> So I'd suggest checking the legal framework before making any technical
> decisions on authentication schemes.
> 
> Cheers, Dave
> _______________________________________________
> DAS mailing list
> DAS at lists.open-bio.org
> http://lists.open-bio.org/mailman/listinfo/das
> 

-- 
Andreas Kähäri, Ensembl Software Developer
European Bioinformatics Institute (EMBL-EBI)
Wellcome Trust Genome Campus, Hinxton
Cambridge CB10 1SD, United Kingdom



More information about the DAS mailing list