W3C home > Mailing lists > Public > www-html-editor@w3.org > October to December 2002

Re: Idea for securityfix in HTML

From: John Keiser <jkeiser@netscape.com>
Date: Fri, 15 Nov 2002 17:05:50 -0800
Message-ID: <3DD599EE.9060409@netscape.com>
To: Toby Inkster <tobyink@goddamn.co.uk>
Cc: www-forms@w3.org, www-html@w3.org, www-html-editor@w3.org
His idea isn't so bad as all that.  Many servers use MD5 to store their 
passwords and thus you can use it to compare passwords, which is all 
that is needed for simple password authentication.  Why bother?  Because 
sometimes people run small sites but do not have the wherewithal, 
technical knowledge, or control of the server necessary to use an https 
server.  However, you can use JavaScript to accomplish this deed if you 
are interested.

I run a project that does a user authentication / session management and 
is meant to be used in multiple environments, and doing this in 
JavaScript is on the todo list because this need does exist.

The main point against this is, HTML is dead :)  An MD5 encryption 
function in XPath is something worth considering, though, so that it 
could be used in XForms (you could use a calculate node).  I think it 
would be a bad idea to make it an attribute on the <secret> element, 
however--data manipulation like that belongs in the functional language.

--John Keiser

Toby Inkster wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>- -----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On Fri, 15 Nov 2002 23:04:18 +0100
>"Xatr0z" <xatr0z@home.nl> wrote:
>
>| We hope this idea will be included in the W3C standards of HTML and
>| XHTML.
>
>I deeply hope this is a troll.
>
>This is a terrible idea for the following reasons:
>
>a) Rot13 and Base64 provide no security at all. Assuming rot13'd data is intercepted, it can be easily decoded by a 10 year old with a pen and paper.
>
>b) MD5 isn't even encryption -- it's a hash -- not reversible. Thus the server couldn't decode the information at the other end anyway!
>
>c) Why bother when we already have HTTPS? HTTPS provides security infinitely better than all the methods you have suggested.
>
>d) HTML is dead, there are no plans to recommend any further versions.
>
>- - -- 
>Toby A Inkster BSc ARCS
>PGP:      http://www.goddamn.co.uk/tobyink/node.cgi?id=12
>Web Page: http://www.goddamn.co.uk/tobyink/
>IM:       AIM:inka80 ICQ:6622880 YIM:tobyink Jabber:tobyink@a-message.de
>
>My pants just went to high school in the Carlsbad Caverns!!!
>- -----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.7 (GNU/Linux)
>
>iD8DBQE91XYVzr+BKGoqfTkRAjAyAJwIu30es9UR0UQdmsnFnDrYmb4zLACgkkH1
>P0W0EoceSB3wMrhGtfpmEpQ=
>=yTWv
>- -----END PGP SIGNATURE-----
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.7 (GNU/Linux)
>
>iD8DBQE91XZfzr+BKGoqfTkRAoA+AJ9Pg03tSLoI0zaxLqQr/rjcJ5viOQCgo9k2
>N8pJC2rtKpl8wKrQ49JWjsI=
>=8iL+
>-----END PGP SIGNATURE-----
>
>  
>
Received on Friday, 15 November 2002 20:08:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:17:43 GMT