W3C home > Mailing lists > Public > www-html@w3.org > November 2002

Re: Idea for securityfix in HTML

From: David Woolley <david@djwhome.demon.co.uk>
Date: Sat, 16 Nov 2002 09:50:20 +0000 (GMT)
Message-Id: <200211160950.gAG9oKw06205@djwhome.demon.co.uk>
To: www-html@w3.org

> A normal HTML form which allows a user to login to a system, could look
> like this:

The real problem here is that people are not using the security features
in HTTP.  In band logins in HTML are intrinsically insecure even if you
use challenge response techniques as they generally rely on cookies, 
referer or hidden form fields to protect the internal pages and these 
all simply return unmodified data to the server.  They are done essentially
for vanity reasons.

(I agree with the other points that this proposal is plain text equivalent.
HTTP basic authentication is also plain text equivalent.  I don't know enough
about the MD5 authentication scheme in HTTP - getting good varying challenges
is going to be a problem.  HTTPS is the only really secure way of handling
passwords.)
Received on Saturday, 16 November 2002 04:50:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:15:53 GMT