W3C home > Mailing lists > Public > www-forms@w3.org > November 2002

Re: Idea for securityfix in HTML

From: John Keiser <jkeiser@netscape.com>
Date: Mon, 18 Nov 2002 11:51:03 -0800
Message-ID: <3DD944A7.8000101@netscape.com>
To: Goetz Bock <bock@blacknet.de>
CC: www-forms@w3.org


Goetz Bock wrote:

>On Sun, Nov 17 '02 at 12:35, John Keiser wrote:
>  
>
>>I think the bottom line here is, MD5 is not enough but we need an MD5 
>>function so that we can hash the password so that it will match the one 
>>in the database before doing another, more secure hash based on 
>>server-supplied text, like HMAC (thanks John).
>>    
>>
>Just to tel you again: using MD5 on the password will not gain you
>anything. MD5ing a password to match it against an MD5-hash stored in
>the database is *WORSE* than sending the plaintext password (It's worse
>because it gives a false sence of security). 
>And using HMAC wont help either.
>  
>
Why do you think HMAC won't help?  I think you're laboring under a 
misapprehension about what it is.  Please help me understand.

Regarding MD5, just to tell you again: using MD5 is necessary because 
many servers store the password as MD5.  That does not mean we're going 
to send the MD5 sum across.  I am proposing something more like this:

1. Server supplies random text to browser
2. Browser sends back HMAC(sha1|md5, serverText, MD5(userPassword))
3. Server can do HMAC(sha1|md5, serverText, md5PasswordStoredInDatabase) 
and compare if equal

Regardless, it would be good to have something simple that allows us to 
match against MD5 passwords, whether we piggyback on HMAC or over XML sigs.

>Face it. youre not going to add ANYTHING to html anymore. html has been
>deploied and it's impossible to fix anything, now or in the future.
>  
>
I'm talking about adding these to XPath.

--John
Received on Monday, 18 November 2002 14:51:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 10 March 2012 06:21:54 GMT