The Internet Engineering Task Force held a session in Chicago on Tuesday to debate whether HTTP should be tweaked to fix known errors or completely reworked to address its well-known security weaknesses.
CHICAGO -- Is the time ripe to revamp HTTP, the communications standard that underpins most of the information sharing on the Internet?
That’s what leading Internet engineers gathered in Chicago for one of their regular thrice-annual meetings discussed in a spirited debate on Tuesday.
The Hypertext Transfer Protocol (HTTP) is the main way that information is published and retrieved from the World Wide Web. The protocol was developed jointly by the IETF and the World Wide Web Consortium (W3C). In use on the Web since 1990, HTTP was standardized in 1999 in RFC 2616.
The IETF held a session on Tuesday to debate whether HTTP should be tweaked to fix known errors or completely reworked to address its well-known security weaknesses.
Internet luminaries are lining up on either side of the debate.
Pushing for minimal corrections of HTTP are Web inventor Tim Berners-Lee, the W3C and engineers from Microsoft, Adobe and HP. This camp outlined its recommendations for tweaking HTTP in a draft document published by the IETF in June.
"The current plan is to incorporate known errata, and to update the specification text according to the current IETF publication guidelines," the draft document states.
Others are arguing for the standards bodies to bolster the authorization mechanisms available for HTTP and make them mandatory. This camp argues that built-in authorization would help eliminate the widespread problems of spoofing and phishing, although it also would remove anonymity.
"We need to clean this mess up and that means facing the reality of HTTP security," argued John Klensin, an e-mail pioneer, former AT&T and MCI Worldcom executive, and former chair of the Internet Architecture Board that oversees the IETF.
"We need to move forward in parallel" with fixing known errors in HTTP and addressing its authentication weaknesses, Klensin added.
Former IETF chair and Cisco Fellow Harald Alvestrand recommended a similar two-pronged approach to fixing HTTP.
"We need the rat hole of security for HTTP open so we can kill some rats, but we also need to get useful work done [fixing HTTP errors] without waiting for that rat hole to be opened," Alvestrand said.
Here’s how HTTP works: An end user requests information using a Web browser from an origin server, which responds with HTML files or images. In between the user and server are proxies, gateways and tunnels. HTTP transfers the hypermedia information between the user and server over a transport mechanism such as TCP/IP.
HTTP doesn’t include built-in security. Instead, two optional security mechanisms known as basic and digest access authentication are outlined in a separate standard known as RFC 2617.
The basic authentication system sends user names and passwords in the clear over the network, so it must be used with an external security system such as Secure Sockets Layer (SSL).
The digest access authentication system verifies passwords using a scheme based on cryptographic hashes.
Neither of the standardized HTTP authentication methods is popular. Instead, most Web developers use HTML forms with session keys stored in cookies to secure HTTP communications and ensure message confidentiality and integrity. However, cookies have well-known security and privacy problems, too.
Participants in the IETF debate favored setting up a new working group to fix HTTP’s errors and create a document that outlines known security holes. Whether the group would address HTTP authentication mechanisms remains to be seen.
The IETF has tried but failed twice before to establish a working group to fix HTTP problems.
"It’s an interesting time for HTTP," said Mark Nottingham, an engineer with Yahoo who led the HTTP discussion. "There have been other attempts to revise RFC 2616, but perhaps it wasn’t the right time or the stars weren’t aligned. But I do think this is a unique opportunity to get it done."