- From: Chris Drake <christopher@pobox.com>
- Date: Sat, 15 Jul 2006 23:29:56 +1000
- To: "James A. Donald" <jamesd@echeque.com>
- CC: public-usable-authentication@w3.org
Hi James, XSS can steal anything - passwords, pw-manager credentials, and/or cookies - discussion of HTTPS/pw-manager/etc as some kind of solution to XSS simply makes no sense whatsoever. Kind Regards, Chris Drake Saturday, July 15, 2006, 1:46:58 PM, you wrote: JAD> -- JAD> Amir Herzberg wrote: >> such XSS attacks can be launched even against existing >> automated login mechanisms (pw managers). This can be >> prevented if sites provide the necessary details to >> allow the pw managers to send the login credentials >> over secure connection (not via form submit) JAD> What do you have in mind that is better than form submit JAD> over an HTTPS connection? >> or using an appropriate secure protocol. JAD> Such as? JAD> One problem with the existing system is that people JAD> prove knowledge of shared secrets by revealing them to JAD> someone else who (supposedly) already knows them. Shared JAD> secrets should never be revealed. Rather, those holding JAD> the shared secrets should prove to each other knowledge JAD> of them. I suspect you have in mind intent to fix this JAD> problem, but are being coy because it is off topic or JAD> something. JAD> --digsig JAD> James A. Donald JAD> 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG JAD> Ahcsqo0pQ5PJ3au7l5qPz6qIbAx3RtAr5lPSTHeR JAD> 4Wi0wKg1xnkRUKjoaQ9+FrNFoxcDOb+JWLHCXI6nz
Received on Saturday, 15 July 2006 13:30:31 UTC