RE: New version of Passwords in the Clear from Rice, Ed (ProCurve) on 2006-11-15 (www-tag@w3.org from November 2006)

From: Rice, Ed (ProCurve) <ed.rice@hp.com>
Date: Wed, 15 Nov 2006 13:23:07 -0600
To: <noah_mendelsohn@us.ibm.com>
Cc: "John Cowan" <cowan@ccil.org>, "Vincent Quint" <Vincent.Quint@inrialpes.fr>, <www-tag@w3.org>
Message-ID: <C91FD2C6C8E31445A2C55A27DFF493B3CB07F6@G3W0072.americas.hpqcorp.net>

Yes, I've seen and understand the examples.  My concern is simply that
many users are not aware enough to 'know' if they're sending their
password in clear text over the wire or not.  Also, many users use the
same password over and over again so capturing one password for a user
may open up many resources which the user did not intend.

I did enjoy reading John Cowan's article on not using more security than
you need [1].  But it doesn't make a cut/dry case as to when to use a
secure password and when not to.  For example, on the news source
outlined in the post it clear that a news story doesn't need to use
SHTML but if the user hasn't authenticated it would be easy to redirect
the user to a login page and I do think that login page should use
SHTML.  Once the user has authenticated, the content may or may not
raise to the level of secure content and if not straight HTML in fact
would be preferable.

So, what John's article doesn't say is 'yeah, I think its ok to pass
passwords around in clear text' I believe he's saying 'only secure what
you need to'.. I don't disagree with the latter. (John correct me if
I've miss-read).

Hope this helps.
-Ed

[1]
http://recycledknowledge.blogspot.com/2005/08/on-not-using-more-security
-than-you.html

-----Original Message-----
From: noah_mendelsohn@us.ibm.com [mailto:noah_mendelsohn@us.ibm.com] 
Sent: Wednesday, November 15, 2006 11:48 AM
To: Rice, Ed (ProCurve)
Cc: John Cowan; Vincent Quint; www-tag@w3.org
Subject: RE: New version of Passwords in the Clear

Ed Rice writes:

> The only possible exception I could see would be if you had only two 
> computers on your network and they're together in a locked room.
> But then its outside of the scope of the world wide web so the finding

> doesn't apply.

Whether you agree with them or not, other responses on this list suggest
examples on the public network in which relatively knowledgeable
providers of Web resources claim that they are happy with the
intermediate level of 
security provided by HTTP Basic over ordinary HTTP.   See for example
[1].

Noah

[1] http://lists.w3.org/Archives/Public/www-tag/2006Nov/0085.html

--------------------------------------
Noah Mendelsohn
IBM Corporation
One Rogers Street
Cambridge, MA 02142
1-617-693-4036
--------------------------------------

Received on Wednesday, 15 November 2006 19:23:54 UTC