W3C home > Mailing lists > Public > public-usable-authentication@w3.org > July 2006

Re: AW: AW: Secure Chrome

From: Amir Herzberg <amir.herzberg@gmail.com>
Date: Fri, 14 Jul 2006 10:59:22 +0300
Message-ID: <44B74EDA.2040907@gmail.com>
To: spam filter <spam@jeff-nelson.com>
CC: Jörg Schwenk <joerg.schwenk@ruhr-uni-bochum.de>, public-usable-authentication@w3.org

spam filter wrote:
> On 6/15/06, Amir Herzberg <amir.herzberg@gmail.com> wrote:
>> Another thing which would have been really nice is a standard definition
>> of the sensitive fields (password, cc#, etc...) - like ECML (rest in
>> peace :-) ) but that is not as difficult to do by hand...
>
> This is an important area which is largely not addressed yet.  We need
> indicators for mutual authentication and session to prevent session
> takeover attacks and validate identity of the remote server.
>
> For example, a user can be made to authenticate to her bank, but
> through a XSS attack, that session can be taken over by an attacker in
> order to request sensative information.  If the bank proves its
> identity after authentication and throughout the session, such attacks
> could be preventable.
Absolutely, and more: such XSS attacks can be launched even against 
existing automated login mechanisms (pw managers). This can be prevented 
if sites provide the necessary details to allow the pw managers to send 
the login credentials over secure connection (not via form submit), or 
using an appropriate secure protocol. What I recommend is 
standardization of appropriate <META> info that will allow the 
client-side code (login manager) to use the appropriate secure mechanism.

I believe this goal is widely supported in this group and I think Thomas 
does think of it as part of the charter (is it not clear enough from the 
text?)

Best, Amir
>
>   - Jeff
>
Received on Friday, 14 July 2006 08:00:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:14 GMT