W3C home > Mailing lists > Public > public-usable-authentication@w3.org > July 2006

Re: AW: AW: Secure Chrome

From: James A. Donald <jamesd@echeque.com>
Date: Sat, 15 Jul 2006 13:46:58 +1000
Message-ID: <44B86532.8030008@echeque.com>
CC: public-usable-authentication@w3.org

Amir Herzberg wrote:
 > such XSS attacks can be launched even against existing
 > automated login mechanisms (pw managers). This can be
 > prevented if sites provide the necessary details to
 > allow the pw managers to send the login credentials
 > over secure connection (not via form submit)

What do you have in mind that is better than form submit
over an HTTPS connection?

 > or using an appropriate secure protocol.

Such as?

One problem with the existing system is that people
prove knowledge of shared secrets by revealing them to
someone else who (supposedly) already knows them. Shared
secrets should never be revealed.  Rather, those holding
the shared secrets should prove to each other knowledge
of them.  I suspect you have in mind intent to fix this
problem, but are being coy because it is off topic or

          James A. Donald
Received on Saturday, 15 July 2006 09:31:41 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:53:15 UTC