Re: Risks the password role does create from Richard Schwerdtfeger on 2016-06-22 (public-aria@w3.org from June 2016)

From: Richard Schwerdtfeger <richschwer@gmail.com>
Date: Wed, 22 Jun 2016 14:05:33 -0500
To: Mike Cooper <cooper@w3.org>
Cc: ARIA <public-aria@w3.org>
Message-Id: <60C99904-9532-4BF8-A690-EFEF128DF448@gmail.com>

I agree with your last statement. I think that has a lot to do with our introducing a new feature and consequently it has gotten much more focus than a feature that has been around for a long time. When HTML first came out there were not object inspectors in the browsers. Browser technology has changed dramatically since HTML4. 


I don’t think anyone disagrees that the world would benefit from an alternative to passwords for secure logins. 

Rich


> On Jun 22, 2016, at 1:53 PM, Michael Cooper <cooper@w3.org> wrote:
> 
> On 22/06/2016 1:58 PM, Richard Schwerdtfeger wrote:
>> Well, 
>> 
>> Michael, as it turns out input type=“password” is not secure either. I will be filing an APA issue. 
>> 
> This does bring up some concerns about the bar we should meet. One argument in the WG against the password role (though properly I think that is an argument against custom passwords, not the role per se) is that HTML passwords are more secure. But the HTML 5.1 password spec <https://www.w3.org/TR/html51/sec-forms.html#password-state-typepassword> doesn't say much about the security protections user agents provide, aside from "The user agent should obscure the value so that people other than the user cannot see it." For custom password fields, that would be an author responsibility, regardless of whether they use the password role.
> 
> I can't find any other guidance in the HTML spec about protecting password fields, and this has likely been true for several versions. Maybe there is some de facto security implemented long ago by most browsers so there wasn't seen a need to address it in the spec, though since a main goal of HTML 5 was to document existing browser behavior, it's a surprise this didn't come up. I don't have information about what proportion of user agents do provide that security, and wonder if interoperability testing data exists on this. If Rich has found implementations that don't meet the level of security we assume, then it brings further questions about whether comparing to HTML should be a reason for decisions we make on the ARIA feature.
> 
> At the moment I think the draft ARIA password role text has more security guidance for AT and authors than the HTML spec.
> 
> Michael

Received on Wednesday, 22 June 2016 19:06:04 UTC