• Created by Unknown User (mattlangston), last modified on Dec 19, 2004

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 20 Next »

Introduction

Many users are familiar with SSL encrypted web pages that ask them for their username and password to log into a web site. With SSL, web browsers use a gold lock as a visual cue to indicate to users that their username and password will be transmitted securely over the Internet. For example, this is what Wells Fargo Bank customers see in the lower right hand corner of the Internet Explorer 6.0 and FireFox 1.0 browsers when they log into their account:

Internet Explorer 6.0

FireFox 1.0

Although SSL is widely used to allow users to securely log into a web site, it is not the only method that modern browsers support. Another method, which is just as seccure, is called Interated Windows Authentication (hereafter called IWA). Most web browsers (all versions of Internet Explorer, and recent versions of Gecko-based browsers such as FireFox 1.0) support IWA.

Whereas SSL uses the widely recognized gold lock visual cue to indicate to the user it is safe to type your password, IWA uses a different (but just as valid) visual cue to reassure the user it is safe to type your password. Some users have recently raised the concern that since the visual cues are different for the SSL and IWA methods, that some reassureance of the safety and validity of IWA be given to the GLAST community, which is the purpose of thie article.

How IWA works

Roughly speakig, there are two ways to authenticate a user to a web site called Forms Based Authentication and Browser Based Authentication. The method many users are familiar with is Forms Based Authentication, which is when a form embeded in a web page prompts a user for their username and password over an SSL connection to the web server. The user types their username and password into the web form and clicks the submit button which sends the credentials to the web server over the encypted SSL channel for authentication. It is important to point out that the user's web browser has no idea that the user is logging into the web site - all that the web browser knows is that it is sending information to the remote web site over an SSL channel.

The Browser Based Authentication mechanism is different in that it uses the browser's built-in functionality to authenticate a user to a web site. It is important to point out that the user's web browser fully participates in logging the user into the web site - a completely different approach to the Forms/SSL method. Since the browser knows it is logging the user into a remote web site, it can use a built-in dialog box to ask the user for their username and password. Here are the dialog boxes used by Internet Explorer 6.0 and FireFox 1.0:

Internet Explorer 6.0

FireFox 1.0

For both the Forms/SSL and Browser based authentication mechanisms, it is important that the user trusts the web site they are logging into. For example, just becasue you use an SSL encypted form to send your username and password to a remote web site doesn't mean that your password is safe. For example, if the programmer who created the remote web site is inexperienced in security issues, they could easily do something to compromise your password without intending to do so. Becuase security is so important and so easy for a programmer to get wrong, the Department of Energy requires SLAC to not allow programmers to every ask a user for their username and password unless they obtain special permission from the lab.

It is important to the user that they trust the web site they are sending their credential to, which is why the dialog boxes. In the dialog boxes above, it is clear to the user that they are connecting to the web site http://glast-ground.slac.stanford.edu/

While SSL visual cues are convenient, they don't remove the responsibility from the user of trusting the web server they are sending their credentials to.

aren't necessary. It is imporant to Browsers use the same

introduces IWA to users, and

The Windows web server called Internet Information Servies version 6 (hereafer referred to as IIS) has the ability to authenticate users using something called Interated Windows Authentication (hereafter called IWA, formerly called NTLM in previous versions of IIS). IWA is a secure method for users to prove to an IIS web server that they are who they say they are.

Although SSL is widely used to allow users to securely log into a web site, it is not the only method that modern browsers support. is well known, Web browsers such as Internet Explorer and Forefix 1.0 include support IWA.

for This is a secure that comes wth

  • No labels