W3C home > Mailing lists > Public > www-tag@w3.org > January 2007

Asking too much of User Agents: Passwords in the clear again

From: Henry S. Thompson <ht@inf.ed.ac.uk>
Date: Tue, 09 Jan 2007 21:56:38 +0000
To: www-tag@w3.org
Message-ID: <f5btzyzoodl.fsf@erasmus.inf.ed.ac.uk>

Hash: SHA1

As the draft minutes [1] suggest, another tricky case wrt the proposed
finding on Passwords in the Clear [2] has emerged: Just because a form
with an <input type='password'>... is delivered via http and not https
does not necessarily mean the password will be shipped over the wire
in the clear -- it's been asserted that it's possible for javascript
on the page, invoked by an 'onsubmit' hook, to use some form of
(possibly public-key?) encryption so that what is actually submitted
is safe from snooping.  Clearly the User Agent can't tell that this is
being done, and so would be expected to issue a warning to the user as
the finding currently stands, which would be misleading at best.

Security experts:  1) Is such Javascript actually possible?  If so,
                      does it provide an acceptable level of security?
                   2) Is it being done today (on the call it was
                      suggested that Yahoo does this)?


[1] http://www.w3.org/2007/01/09-tagmem-minutes.html
[2] http://www.w3.org/2001/tag/doc/passwords-InTheClear-52
- -- 
 Henry S. Thompson, HCRC Language Technology Group, University of Edinburgh
                     Half-time member of W3C Team
    2 Buccleuch Place, Edinburgh EH8 9LW, SCOTLAND -- (44) 131 650-4440
            Fax: (44) 131 650-4587, e-mail: ht@inf.ed.ac.uk
                   URL: http://www.ltg.ed.ac.uk/~ht/
[mail really from me _always_ has this .sig -- mail without it is forged spam]
Version: GnuPG v1.2.6 (GNU/Linux)

Received on Tuesday, 9 January 2007 21:56:48 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:32:51 UTC