[Mod_nss-list] Problem 2
Jennings, Jared L CTR USAF AFMC 46 SK/CCI
jared.jennings.ctr at eglin.af.mil
Mon May 9 22:09:58 UTC 2011
> I agree that the code looking for / is a bug. mod_nss is a derivation
> from the mod_ssl code, this must be a piece I missed when implementing
> this originally. I'll take a look.
If you're going to detect spoof attempts solely by the username (and
that's all you have in this function), there needs to be some way of
separating a username that looks FakeBasicAuthed from a username that
doesn't look that way, quickly, easily, and without messing with it too
much (any smart processing you do may have a flaw, which adversarial
users could try to exploit).
So it's true that the / is an unintended holdover from mod_ssl -- but
it's also true that / is generally a weird character to start a
manually-typeable user name with, and that checking the first character
of the username is one of the simplest, dumbest things you can do.
All told, I've come around to thinking it's a good idea to make mod_nss
FakeBasicAuth usernames start with /, and to check for that when
spoof-checking - you just need to have the whole DN after the slash, not
only the CN, because otherwise two certs from different issuers but
having the same CN would lead to the same username, leading to
unintended consequences in the authorization stage.
More information about the Mod_nss-list
mailing list