W3C home > Mailing lists > Public > www-html@w3.org > November 2002

Re: Idea for securityfix in HTML

From: Xatr0z <xatr0z@home.nl>
Date: Sat, 16 Nov 2002 12:28:39 +0100
Message-ID: <00d101c28d63$4fbc1480$44b479d9@emmen1.dr.home.nl>
To: "Boris Zbarsky" <bzbarsky@MIT.EDU>
Cc: <www-forms@w3.org>, <www-html@w3.org>, <www-html-editor@w3.org>

>
> > Yes, you're right, but if we take an MD5 hash instead of the plain
password,
> > the data would be saver.
>
> Like I said, you get a misleading illusion of safety for both parties.
> In reality, neither is more secure, and is hence more vulnerable (same
> level of actual security, but more likely to do stupid things due to the
> perception of security).

I think this is going to end up in an discussion if it would be save or not,
but I think it is. If someone is "sniffing" and get's the HTTP request
instead of the HTTP server, he or she doesn't get the password, but it's
encrypted (or with MD5, that depends on the HTTP request). Ofcourse, it
isn't secure, he or she could trie an dictionary or brute-force attack, but
is is more secure, and I think that's a good thing.

What do you feel about the idea to create a attribute which allows the
client to send an (MD5) checksum of the file, to determine if the transport
went well?

Another idea, maybe make something like a "checksum" value in the type
attribute in the  <INPUT> tag, which takes a checksum of all data?


Regards,

D. Willems "Xatr0z" <xatr0z at users dot sourceforge dot net>
Received on Saturday, 16 November 2002 06:30:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:15:53 GMT