W3C home > Mailing lists > Public > public-html-comments@w3.org > June 2012

Resistance of <keygen> to client-side attack

From: Alan Egerton <eggyal@gmail.com>
Date: Wed, 13 Jun 2012 18:51:00 +0100
Message-ID: <CA+phaed=aR0sfOdVOU75h6=KTjgjr0gBALBMwRpeiLQj-RCu7w@mail.gmail.com>
To: public-html-comments@w3.org
Looking over <http://dev.w3.org/html5/spec/the-keygen-element.html>,
what is there to prevent a client-side script from removing the keygen
element from the DOM and replacing it with an attacker's key?  One
presumes that the "challenge" attribute was intended to overcome such
threats, but the malicious script can read the challenge value and
generate/sign its own key accordingly.

Perhaps the browser should provide keys generated by <keygen> to the
server in an HTTP header that cannot be accessed/manipulated by
client-side script?

-- Alan
Received on Thursday, 14 June 2012 09:17:08 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:28 UTC