W3C home > Mailing lists > Public > public-usable-authentication@w3.org > July 2006

AW: AW: AW: Secure Chrome

From: Jörg Schwenk <joerg.schwenk@ruhr-uni-bochum.de>
Date: Fri, 14 Jul 2006 13:27:39 +0200
To: <public-usable-authentication@w3.org>
Message-ID: <015301c6a738$840c17b0$1b289386@jotop>
I strongly support this idea, having in mind that in Germany (and some other
countries) Transaction numbers (TANs) have to be typed into a HTML form,
which are somewhat different from passwords:
- they can not be chosen by the customer, they are generated by the bank.
- they can not automatically be modified.
- they are not bound to sessions, but to transactions.

XSS should be a topic for the next generation of browsers, together with a
secure object model for Javascript (which may be inside the scope of W3C).

Clearly outside our scope are malware-based attacks on internal browser
interfaces: http://www.infoworld.com/pdf/special_report/2006/18SRmalware.pdf


Joerg



-----Ursprüngliche Nachricht-----
Von: Amir Herzberg [mailto:amir.herzberg@gmail.com] 
Gesendet: Freitag, 14. Juli 2006 09:59
An: spam filter
Cc: Jörg Schwenk; public-usable-authentication@w3.org
Betreff: Re: AW: AW: Secure Chrome

spam filter wrote:
> On 6/15/06, Amir Herzberg <amir.herzberg@gmail.com> wrote:
>> Another thing which would have been really nice is a standard definition
>> of the sensitive fields (password, cc#, etc...) - like ECML (rest in
>> peace :-) ) but that is not as difficult to do by hand...
>
> This is an important area which is largely not addressed yet.  We need
> indicators for mutual authentication and session to prevent session
> takeover attacks and validate identity of the remote server.
>
> For example, a user can be made to authenticate to her bank, but
> through a XSS attack, that session can be taken over by an attacker in
> order to request sensative information.  If the bank proves its
> identity after authentication and throughout the session, such attacks
> could be preventable.
Absolutely, and more: such XSS attacks can be launched even against 
existing automated login mechanisms (pw managers). This can be prevented 
if sites provide the necessary details to allow the pw managers to send 
the login credentials over secure connection (not via form submit), or 
using an appropriate secure protocol. What I recommend is 
standardization of appropriate <META> info that will allow the 
client-side code (login manager) to use the appropriate secure mechanism.

I believe this goal is widely supported in this group and I think Thomas 
does think of it as part of the charter (is it not clear enough from the 
text?)

Best, Amir
>
>   - Jeff
>




Received on Friday, 14 July 2006 11:27:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:14 GMT