- From: Francois Daoust <fd@w3.org>
- Date: Thu, 22 Jan 2009 11:20:54 +0100
- To: Web Security Context Working Group <public-wsc-wg@w3.org>
Hi, The Mobile Web Best Practices Working Group is currently working on a set of best practices for Mobile Web Applications. The specification is not very surprisingly called "Mobile Web Application Best Practices": http://www.w3.org/TR/mwabp/ One of these best practices relates to the use of HTTPS (section 3.2.1): http://www.w3.org/TR/mwabp/#bp-security-infoexchange Although the best practice in itself is: "Use HTTPS when Exchanging User Credentials" ... the description emphasizes the overhead of using HTTPS for all transactions over a mobile network, and recommends using HTTPS only when needed, and relying on a pseudo-identity or a secure hash of the actual identity when possible. We would like to get your feedback as security experts on that best practice. It is common practice, but de facto exposes hashed credentials on the network. Questions are: 1. What are the main dangers associated with the use of hashed credentials? Identity spoofing? 2. Are there practical recipes to avoid the dangers (e.g. "encrypt the client's IP address in the hashed credentials to ensure they cannot be used by some other client"?) 3. Can we consider it a good practice? In some not-highly-sensitive cases, e.g. for applications that use identity to personalize the look-and-feel? Never? Thanks, Francois.
Received on Thursday, 22 January 2009 10:21:33 UTC