W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > February 2011

[Bug 11912] HTML5 provides an opportunity to fix a long-running problem with HTTP Authentication. HTTP Authentication is important, because it is the only way to execute a request with 100% certainty that the user has provided an authentication secret. Furthermore,

From: <bugzilla@jessica.w3.org>
Date: Wed, 02 Feb 2011 14:47:03 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1Pkdz5-0006Yh-Rt@jessica.w3.org>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=11912

--- Comment #8 from Aryeh Gregor <Simetrical+w3cbug@gmail.com> 2011-02-02 14:47:03 UTC ---
(In reply to comment #7)
> Not everyone's situation is like that.  Other people live in the real world,
> and not all of them write the same apps as you.

Then it would help your case a lot if you provided specific examples of
real-world (*not* hypothetical) applications that you've worked on or used,
explained a specific real-world attack that could be carried out on those
applications, and explained how HTTP auth would have prevented that attack.  If
the application is secret or in-house, you could give a basic rundown of how
it's set up, as much as is necessary to understand the attack.

> 1. I have never seen an attack which steals credentials out of a user agent's
> memory, and if one exists, then it's not my responsibility to combat that. 
> It's the author of the user agent who must be on the lookout for such
> vulnerabilities.  If you meant that they would steal it out of the user's saved
> passwords, then your users' saved passwords are no less vulnerable to that
> attack.

With cookies, there's not much need to save passwords.  Lots of sites will let
you stay logged in for months or forever without having to re-enter your
password.  But if you use basic HTTP auth, then you either have to re-enter
your password for every site every time you start the browser, or have it save
the passwords to disk.  So it will encourage password saving much more
strongly.

> 2. If the attacker can steal credentials out of the UA's memory, they can just
> as easily steal a session cookie, or a 'log me in automatically' cookie.  And
> there are many more vectors for stealing a session cookie than the hypothetical
> one you described for stealing HTTP credentials.

Yes, but a stolen cookie is much less damaging.  It can have a limited
lifetime, can be canceled, and doesn't give information about the password
itself (which is significant when users use the same or similar passwords
across sites, which most do).  A leaked password is much worse.

> I'll try to stop debating now.

I actually think we're making progress.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Wednesday, 2 February 2011 14:47:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 2 February 2011 14:47:06 GMT