W3C home > Mailing lists > Public > www-html@w3.org > November 2002

Re: Idea for securityfix in HTML

From: D. Willems <xatr0z@home.nl>
Date: Sun, 17 Nov 2002 11:17:58 +0100
Message-ID: <001d01c28e22$d5b90560$44b479d9@emmen1.dr.home.nl>
To: "Goetz Bock" <bock@blacknet.de>
Cc: <www-forms@w3.org>, <www-html@w3.org>, <www-html-editor@w3.org>

[snip]

>
> On Sat, Nov 16 '02 at 12:28, Xatr0z wrote:
> > [ ... ] If someone is "sniffing" and get's the HTTP request
> > instead of the HTTP server, he or she doesn't get the password, but it's
> > encrypted (or with MD5, that depends on the HTTP request). Ofcourse, it
> > isn't secure, he or she could trie an dictionary or brute-force attack,
but
> > is is more secure, and I think that's a good thing.
> I don't need to do and brute-force. I can just reuse the SAME md5
> hash/checksum I just sniffed to reauthenticate as a valid user. As we
> have discussed, an MD5 sum can not be "decrypted" into the real
> password, it can only be compatred to a given MD5 sum in the database.
>

Yes you can, but think about registration mechanisms, you can mostly
register yourself only once.

[snip]

> > What do you feel about the idea to create a attribute which allows the
> > client to send an (MD5) checksum of the file, to determine if the
transport
> > went well?
> This does not even add integrity checks for anything but transport
> errors. This should be handled by the transport protocoll (TCP/IP in
> this case) but again read "secrets and lies".

Why should it? On my WWWebsites, I would like to see details about what went
wrong, give my personal errors, etc. I think it is a good idea to insert
this in HTML/XHTML.


Regards,

D. Willems "Xatr0z" <xatr0z at users dot sourceforge dot net>
Received on Sunday, 17 November 2002 05:21:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:15:53 GMT