Re: Idea for securityfix in HTML from Xatr0z on 2002-11-16 (www-html@w3.org from November 2002)

From: Xatr0z <xatr0z@home.nl>
Date: Sat, 16 Nov 2002 17:24:09 +0100
To: "Toby Inkster" <tobyink@goddamn.co.uk>
Cc: <www-forms@w3.org>, <www-html@w3.org>, <www-html-editor@w3.org>
Message-ID: <007001c28d8c$980816c0$44b479d9@emmen1.dr.home.nl>

[snip]

> | > b) MD5 isn't even encryption -- it's a hash -- not reversible. Thus
> | > the server couldn't decode the information at the other end anyway!
> |
> | Yes, but a lot of systems use MD5 hashes in databases, for passwords by
> | example.
>
> That is true, but if everybody did what you suggested, we would just be
relying on md5(password) to log in instead of password. The md5(password)
would be passed in plain text and could be intercepted and used by an
attacker.

I don't exactly understand what you mean. You say that if the HTTP client
sends the MD5 password instead of a text/plain password, that it "is passed
in plain text". That's not true, a MD5 hash is passed!

>
> | > c) Why bother when we already have HTTPS? HTTPS provides security
> | infinitely better than all the methods you have suggested.
> |
> | I think HTTP should be save.
>
> With a lot of improvements, a cardboard box could be made safe, but for
keeping things locked up, people prefer to use proper metal safes. Cardboard
boxes and safes are both useful for keeping things in -- but in different
ways.
>
> HTTP should be used when security isn't important. HTTPS should be used
when security is important.

Yes, maybe you're right in this one, people should not make everything
secure if it could be easyer. But, if we put this in HTML/HTTP, is stays as
easy as it is today and it is more secure. I don't see why this isn't
inserted in HTTP/HTML, and you don't give any arguments.
Also, not everyone has an HTTPS server. Most WWW activity is with HTTP.

>
> | > d) HTML is dead, there are no plans to recommend any further versions.
> |
> | I personaly think this is a bad idea, HTML is still used a lot on the
> | WWW.
>
> There is nothing to stop people using it, but there are no plans to make
any new versions after 4.01. All improvements are going into XHTML, which is
a more easily extensible format.
>

If W3C doesn't want to improve HTML, it;s there choice, but why don't start
improving HTML again, but on a small scale? If you don't do it, HTTP servers
and clients will do it, and create there own standards, what would be a bad
thing. I ask you guys from W3C, please start improving HTML again. I see
that HTML has "grown up", but that doesn't mean that people won't use HTML
anymore.


Regards,

D. Willems "Xatr0z" <xatr0z at users dot sourceforge dot net>

Received on Saturday, 16 November 2002 11:26:01 UTC