W3C home > Mailing lists > Public > public-usable-authentication@w3.org > July 2006

Re: AW: AW: Secure Chrome

From: James A. Donald <jamesd@echeque.com>
Date: Sat, 15 Jul 2006 13:46:58 +1000
Message-ID: <44B86532.8030008@echeque.com>
CC: public-usable-authentication@w3.org

     --
Amir Herzberg wrote:
 > such XSS attacks can be launched even against existing
 > automated login mechanisms (pw managers). This can be
 > prevented if sites provide the necessary details to
 > allow the pw managers to send the login credentials
 > over secure connection (not via form submit)

What do you have in mind that is better than form submit
over an HTTPS connection?

 > or using an appropriate secure protocol.

Such as?

One problem with the existing system is that people
prove knowledge of shared secrets by revealing them to
someone else who (supposedly) already knows them. Shared
secrets should never be revealed.  Rather, those holding
the shared secrets should prove to each other knowledge
of them.  I suspect you have in mind intent to fix this
problem, but are being coy because it is off topic or
something.

     --digsig
          James A. Donald
      6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
      Ahcsqo0pQ5PJ3au7l5qPz6qIbAx3RtAr5lPSTHeR
      4Wi0wKg1xnkRUKjoaQ9+FrNFoxcDOb+JWLHCXI6nz
Received on Saturday, 15 July 2006 09:31:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:14 GMT