W3C home > Mailing lists > Public > public-usable-authentication@w3.org > July 2006

Re[2]: AW: AW: Secure Chrome

From: Chris Drake <christopher@pobox.com>
Date: Sat, 15 Jul 2006 23:29:56 +1000
Message-ID: <1195993699.20060715232956@pobox.com>
To: "James A. Donald" <jamesd@echeque.com>
CC: public-usable-authentication@w3.org

Hi James,

XSS can steal anything - passwords, pw-manager credentials, and/or
cookies - discussion of HTTPS/pw-manager/etc as some kind of solution
to XSS simply makes no sense whatsoever.

Kind Regards,
Chris Drake


Saturday, July 15, 2006, 1:46:58 PM, you wrote:


JAD>      --
JAD> Amir Herzberg wrote:
 >> such XSS attacks can be launched even against existing
 >> automated login mechanisms (pw managers). This can be
 >> prevented if sites provide the necessary details to
 >> allow the pw managers to send the login credentials
 >> over secure connection (not via form submit)

JAD> What do you have in mind that is better than form submit
JAD> over an HTTPS connection?

 >> or using an appropriate secure protocol.

JAD> Such as?

JAD> One problem with the existing system is that people
JAD> prove knowledge of shared secrets by revealing them to
JAD> someone else who (supposedly) already knows them. Shared
JAD> secrets should never be revealed.  Rather, those holding
JAD> the shared secrets should prove to each other knowledge
JAD> of them.  I suspect you have in mind intent to fix this
JAD> problem, but are being coy because it is off topic or
JAD> something.

JAD>      --digsig
JAD>           James A. Donald
JAD>       6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
JAD>       Ahcsqo0pQ5PJ3au7l5qPz6qIbAx3RtAr5lPSTHeR
JAD>       4Wi0wKg1xnkRUKjoaQ9+FrNFoxcDOb+JWLHCXI6nz
Received on Saturday, 15 July 2006 13:30:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:14 GMT