W3C home > Mailing lists > Public > www-html-editor@w3.org > October to December 2002

Re: Idea for securityfix in HTML

From: Xatr0z <xatr0z@home.nl>
Date: Sat, 16 Nov 2002 11:12:19 +0100
Message-ID: <007001c28d58$a5a9c3c0$44b479d9@emmen1.dr.home.nl>
To: <www-forms@w3.org>, <www-html@w3.org>, <www-html-editor@w3.org>

[snip]

> > All this information is send without any encryption. We suggest to add
> > the following attribute to the <INPUT> tag. Like this:
>
> The problem, of course, is that if a form is loaded over http:// you may
> know the data is being encrypted and sent somewhere but not _who_ it's
> being sent to.  Authentication of both parties is a much more serious
> problem than simple encryption of data (and note that you're trying to
> prevent the theft of the client's identity--the password--but are doing
> nothing to prevent the theft of the _server_'s identity).
>
> Without addressing the authenticity of both sides of the transaction,
> the best such a proposal can accomplish is a false sense of security.

Yes, you're right, but if we take an MD5 hash instead of the plain password,
the data would be saver. Ofcourse, it is NOT secure, but we have https:// as
a good alternative I think.


Regards,

D. Willems "Xatr0z" <xatr0z at users.sourceforge.net>
Received on Saturday, 16 November 2002 05:14:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:17:43 GMT