W3C home > Mailing lists > Public > public-usable-authentication@w3.org > July 2006

Re: AW: AW: Secure Chrome

From: Amir Herzberg <herzbea@macs.biu.ac.il>
Date: Sun, 16 Jul 2006 09:14:36 +0300
Message-ID: <44B9D94C.8020307@cs.biu.ac.il>
To: "James A. Donald" <jamesd@echeque.com>
CC: public-usable-authentication@w3.org

James A. Donald wrote:
>     --
> Chris Drake wrote:
> > XSS can steal anything - passwords, pw-manager
> > credentials, and/or cookies - discussion of
> > HTTPS/pw-manager/etc as some kind of solution to XSS
> > simply makes no sense whatsoever.
> Cross site scripting cannot steal something if the
> script is not handling the information, but merely
> triggering other software to obtain and send the data.
Exactly. Hence, XSS can steal pw from form-filling pw-managers but not 
from pw-managers that do the login directly, using HTTPS GET/PUT or 
using other protocols (that may have advantage of not disclosing pw to a 
spoofed server - which may be a concern even when using HTTPS, at least 
in some cases).

Which is of course also related to your other note:
> What do you have in mind that is better than form submit
> over an HTTPS connection?
First: by doing the HTTPS directly from the pw manager rather than 
having browser do it via pw manager filling fields and doing submit, is 
already more secure against XSS (and against spoofed login pages, a 
problem mainly in non-SSL-protected pages).

Second: see below...
> > or using an appropriate secure protocol.
> Such as?
SRP (see e.g. http://srp.stanford.edu/design.html), to name one... i.e., 
I agree with you that:
> One problem with the existing system is that people
> prove knowledge of shared secrets by revealing them to
> someone else who (supposedly) already knows them. Shared
> secrets should never be revealed.  Rather, those holding
> the shared secrets should prove to each other knowledge
> of them.  I suspect you have in mind intent to fix this
> problem, but are being coy because it is off topic or
> something.
I'll ignore the `coy` part, but yes, I think that discussing the 
protocol is not the focus of this group. Clearly such protocols exist 
(as I said, even HTTPS is relevant), so the question is of providing the 
necessary conventions/standards to provide the necessary metadata to the 
browser / pw manager / extension.
> Of course, the correct solution to XSS is write one's
> server site so that it is not vulnerable to XSS, rather
> than to treat script as unreliable, but this turns out
> to be surprisingly difficult, and one should ask why is
> it so difficult - but doubtless if one did ask that, it
> would be declared to be off topic.
I agree with all three statements in this last paragraph/sentence you 
wrote. However, let me add that it would be _rightfully_ (imho) be 
declared off-topic. We have other forums (as you know well!) for general 
discussions, this forum is for trying to define one particular part of 
the solution, and focusing is critical for success of such efforts (as I 
believe you also know well).

Have a nice day, Amir Herzberg
Received on Sunday, 16 July 2006 06:16:14 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:53:15 UTC