Seeking advice on security best practice

Hi,

The Mobile Web Best Practices Working Group is currently working on a 
set of best practices for Mobile Web Applications. The specification is 
not very surprisingly called "Mobile Web Application Best Practices":
  http://www.w3.org/TR/mwabp/

One of these best practices relates to the use of HTTPS (section 3.2.1):
  http://www.w3.org/TR/mwabp/#bp-security-infoexchange

Although the best practice in itself is:
  "Use HTTPS when Exchanging User Credentials"
... the description emphasizes the overhead of using HTTPS for all 
transactions over a mobile network, and recommends using HTTPS only when 
needed, and relying on a pseudo-identity or a secure hash of the actual 
identity when possible.

We would like to get your feedback as security experts on that best 
practice. It is common practice, but de facto exposes hashed credentials 
on the network. Questions are:

1. What are the main dangers associated with the use of hashed 
credentials? Identity spoofing?

2. Are there practical recipes to avoid the dangers (e.g. "encrypt the 
client's IP address in the hashed credentials to ensure they cannot be 
used by some other client"?)

3. Can we consider it a good practice? In some not-highly-sensitive 
cases, e.g. for applications that use identity to personalize the 
look-and-feel? Never?


Thanks,

Francois.

Received on Thursday, 22 January 2009 10:21:33 UTC