W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > March 2011

[Bug 11912] HTML5 provides an opportunity to fix a long-running problem with HTTP Authentication. HTTP Authentication is important, because it is the only way to execute a request with 100% certainty that the user has provided an authentication secret. Furthermore,

From: <bugzilla@jessica.w3.org>
Date: Fri, 04 Mar 2011 02:22:22 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1PvKes-0004r9-4T@jessica.w3.org>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=11912

Jeremy <jeremy@blazonco.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #13 from Jeremy <jeremy@blazonco.com> 2011-03-04 02:22:21 UTC ---
(In reply to comment #12)
> Incidentally, zewt on #whatwg pointed out you can get all the security benefits
> of your scheme using cookies:
> 
> <zewt> (AryehGregor: not necessarily useful to that person, but if I really
> needed that, I'd probably do something along the lines of storing an encrypted
> password in the cookie with a key on the server, so the server can decrypt it
> for each request and then throw it away)
> 
> That way the server still doesn't have to store any credential info that an
> attacker could profitably compromise.

1. For the spoofing attack, now I just have to figure out where you store the
key.  Or are you generating a new key on each request?  No matter how many
levels of indirection you put between me and the stored session key, I can
still get to it.  There is simply no way to make it impossible; only really
hard.

2. You're still storing your database credentials using this mechanism.

Anyway, Hixie has made the decision.  If he doesn't see what I'm trying to say
then I doubt anyone else on the WG would.  What a shame - we had a chance here
to provide a way to pass credentials directly from the user's brain to backend
services without having to store them on the web server.  Would have been great
for security; in fact I think it would have soon become an industry-wide best
practice if the UA support was there.  Oh well.  I'll set it to CLOSED.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Friday, 4 March 2011 02:22:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 4 March 2011 02:22:24 GMT