W3C home > Mailing lists > Public > www-forms@w3.org > November 2002

Re: Idea for securityfix in HTML

From: Russell O'Connor <roconnor@Math.Berkeley.EDU>
Date: Sat, 16 Nov 2002 11:30:47 -0800 (PST)
To: www-forms@w3.org, W3C HTML <www-html@w3.org>
Message-ID: <Pine.SOL.4.44.0211161124520.24310-100000@blue3.math.berkeley.edu>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[To: www-forms@w3.org, www-html@w3.org]

On Sat, 16 Nov 2002, Xatr0z wrote:

> I think this is going to end up in an discussion if it would be save or not,
> but I think it is. If someone is "sniffing" and get's the HTTP request
> instead of the HTTP server, he or she doesn't get the password, but it's
> encrypted (or with MD5, that depends on the HTTP request).

Fine, if you use MD5, the attacker doesn't get the password.  But she does
get the MD5sum which can be caputered, and then then a replay attack can
be made.  The attacker will just forge an HTTP request and send the MD5
sum she intercepted.

To be useful the server will have to send the form with a salt to add.
The server has to make sure that salts are not resued, and verify the
salt.  You couldn't use the back button to resubmit a request.  It's all a
big mess, and you might as well just use SSL.

- -- 
Russell O'Connor            <http://www.math.berkeley.edu/~roconnor/>
``[Law enforcement officials] suggested that the activists were stopped
not because their names are on the list, but because their names resemble
those of suspected criminals or terrorists.'' -- SFGate.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SunOS)
Comment: For info see http://www.gnupg.org

iD8DBQE91pztuZUa0PWVyWQRAjwgAJ995lKc7+seYochehJVYldUQ4MkvgCgmqR5
CK3prnT7oCtYTKM6DhwYxK0=
=zAkP
-----END PGP SIGNATURE-----
Received on Sunday, 17 November 2002 03:23:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 10 March 2012 06:21:54 GMT