W3C home > Mailing lists > Public > public-usable-authentication@w3.org > July 2006

Re[2]: AW: AW: Secure Chrome

From: Chris Drake <christopher@pobox.com>
Date: Sun, 16 Jul 2006 19:06:43 +1000
Message-ID: <691004986.20060716190643@pobox.com>
To: public-usable-authentication@w3.org

>> Chris Drake wrote:
>> > XSS can steal anything - passwords, pw-manager
>> > credentials, and/or cookies - discussion of
>> > HTTPS/pw-manager/etc as some kind of solution to XSS
>> > simply makes no sense whatsoever.
>>
>> Cross site scripting cannot steal something if the
>> script is not handling the information, but merely
>> triggering other software to obtain and send the data.
AH> Exactly. Hence, XSS can steal pw from form-filling pw-managers but not
AH> from pw-managers that do the login directly, using HTTPS GET/PUT or
AH> using other protocols (that may have advantage of not disclosing pw to a
AH> spoofed server - which may be a concern even when using HTTPS, at least
AH> in some cases).

XSS can steal *anything* that the browser can access - so unless you
want to bar the browser from accessing a web site - no amount of
jiggery pokery with widgets to handle the login is going to solve
anything - ultimately - the browser *has* to be involved, otherwise
the visitor (or hacker driving the XSS script) can't *use* the web
site.  Something has to communicate to the browser that the login can
now "go ahead" - hackers don't care if this is a password, token,
cookie, session key, nonce, or whatever - they're just going to steal
it with the XSS and put you right back where you started from:
Vulnerable. Regardless.

And that's not even *starting* on the fact that XSS is just one of
about 100 different things they can do to accomplish their goals...

Chris.

Chrome: (Plated, via process) - The artificial outer surface
disguising blemishes and faults in the underlying material.
Received on Sunday, 16 July 2006 14:35:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:14 GMT