W3C home > Mailing lists > Public > www-html-editor@w3.org > October to December 2002

RE: Idea for securityfix in HTML

From: John Boyer <JBoyer@PureEdge.com>
Date: Fri, 15 Nov 2002 17:24:10 -0800
Message-ID: <7874BFCCD289A645B5CE3935769F0B524527EB@tigger.pureedge.com>
To: "John Keiser" <jkeiser@netscape.com>, "Toby Inkster" <tobyink@goddamn.co.uk>
Cc: <www-forms@w3.org>, <www-html@w3.org>, <www-html-editor@w3.org>
Using MD5 as a way of 'encrypting' a password is a red herring as there is little real security benefit.  That the password isn't clear text is not of value because the server is looking for MD5(password), which is travelling clear text in your submission.  This means that I can pick up from your unsecured data stream the token of information necessary to access the allegedly password protected resources.
 
To authenticate a user without sending the password, use HMAC.
 
John Boyer, Ph.D.
Senior Product Architect
PureEdge Solutions Inc.
  

-----Original Message-----
From: John Keiser [mailto:jkeiser@netscape.com]
Sent: Friday, November 15, 2002 5:06 PM
To: Toby Inkster
Cc: www-forms@w3.org; www-html@w3.org; www-html-editor@w3.org
Subject: Re: Idea for securityfix in HTML


His idea isn't so bad as all that.  Many servers use MD5 to store their passwords and thus you can use it to compare passwords, which is all that is needed for simple password authentication.  Why bother?  Because sometimes people run small sites but do not have the wherewithal, technical knowledge, or control of the server necessary to use an https server.  However, you can use JavaScript to accomplish this deed if you are interested.

I run a project that does a user authentication / session management and is meant to be used in multiple environments, and doing this in JavaScript is on the todo list because this need does exist.

The main point against this is, HTML is dead :)  An MD5 encryption function in XPath is something worth considering, though, so that it could be used in XForms (you could use a calculate node).  I think it would be a bad idea to make it an attribute on the <secret> element, however--data manipulation like that belongs in the functional language.

--John Keiser

Toby Inkster wrote:


-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



- -----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



On Fri, 15 Nov 2002 23:04:18 +0100

"Xatr0z"   <mailto:xatr0z@home.nl> <xatr0z@home.nl> wrote:



| We hope this idea will be included in the W3C standards of HTML and

| XHTML.



I deeply hope this is a troll.



This is a terrible idea for the following reasons:



a) Rot13 and Base64 provide no security at all. Assuming rot13'd data is intercepted, it can be easily decoded by a 10 year old with a pen and paper.



b) MD5 isn't even encryption -- it's a hash -- not reversible. Thus the server couldn't decode the information at the other end anyway!



c) Why bother when we already have HTTPS? HTTPS provides security infinitely better than all the methods you have suggested.



d) HTML is dead, there are no plans to recommend any further versions.



- - -- 

Toby A Inkster BSc ARCS

PGP:       http://www.goddamn.co.uk/tobyink/node.cgi?id=12

Web Page:  http://www.goddamn.co.uk/tobyink/

IM:        AIM:inka80 ICQ:6622880 YIM:tobyink  Jabber:tobyink@a-message.de



My pants just went to high school in the Carlsbad Caverns!!!

- -----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.0.7 (GNU/Linux)



iD8DBQE91XYVzr+BKGoqfTkRAjAyAJwIu30es9UR0UQdmsnFnDrYmb4zLACgkkH1

P0W0EoceSB3wMrhGtfpmEpQ=

=yTWv

- -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.0.7 (GNU/Linux)



iD8DBQE91XZfzr+BKGoqfTkRAoA+AJ9Pg03tSLoI0zaxLqQr/rjcJ5viOQCgo9k2

N8pJC2rtKpl8wKrQ49JWjsI=

=8iL+

-----END PGP SIGNATURE-----



  
Received on Friday, 15 November 2002 20:24:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:17:43 GMT