W3C home > Mailing lists > Public > www-html@w3.org > May 2006

Suggestion to HTML form element to compat phishing

From: Ka Cheung Sia <kcsia@cs.ucla.edu>
Date: Thu, 25 May 2006 04:56:34 +0200
To: www-html@w3.org
Message-ID: <44749A22.7070808@cs.ucla.edu>




Hi,

As we know, phishing activities are very active in the Internet
nowadays. Such vulnerability of phishing is partly because we allow a
user's password to be sent in its plain format to the server side; it
makes the phishers able to collect username and password by setting up a
fradulent website that looks like a legitimate one and tempt the user to
input their secret information. I am suggesting to add a new attribute
within the HTML input element to improve what we are currently using
(<input type="passowrd"/>) for password input. The new attribute will be
something like (<input type="challenge" param="some random string"
value="......>). The broswer will render this as a password box similar
to what we get right now, but when sending out the data, it uses the
value input by the user to encrypt the random string and send it back to
the server.

As you can see, the idea here is to avoid sending the password in it's
plain format to the server; instead, it is used to encrypt a string.
Given a corresponding changes in the server side to generate random
string with proper timeout period when user access their login page, and
use the same encryption/decryption mechansim to check against the
password, phishers can no longer harvest plain password but an encrypted
form of it. This new HTML input attribute can guard against phishing
activites nowadays to certain extent. How do everyone feel about this
addition?

-Richard
Received on Tuesday, 30 May 2006 09:30:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:16:06 GMT