W3C home > Mailing lists > Public > public-wsc-wg@w3.org > November 2007

[fwd] Updated passwords in the clear (from: dorchard@bea.com)

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 14 Nov 2007 10:42:15 +0100
To: public-wsc-wg@w3.org
Message-ID: <20071114094215.GQ14503@raktajino.does-not-exist.org>

Thomas Roessler, W3C  <tlr@w3.org>

----- Forwarded message from David Orchard <dorchard@bea.com> -----

From: David Orchard <dorchard@bea.com>
To: W3C-TAG Group WG <www-tag@w3.org>
Date: Tue, 13 Nov 2007 13:26:10 -0800
Subject: Updated passwords in the clear
List-Id: <www-tag.w3.org>
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.1.5

Based on our f2f meeting.  And I did a couple of tweaks to texts that I
thought read better:

"Because many systems store passwords a salted hash, it is not possible
in practice for both parties using such systems to compute the same
initial secret value."

"However, there's no obvious method by which a web browser can reliably
know when the data entered is sensitive. Furthermore, in browsers which
enable scripting, it may be impossible to know whether the information
is transmitted in clear text. For example, many forms use onSubmit
actions to start javascript programs. These programs secure the password
and then transmit the password and other information. A User Agent
cannot examine the javascript to ensure that the password is not
transmitted in clear text. Because of these limitations, this finding
provides no Good Practice advice to User Agent authors. "







----- End forwarded message -----
Received on Wednesday, 14 November 2007 09:42:31 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:19 UTC