Re: [passwordInTheClear-52]: A summary of where I think we are. from John Cowan on 2007-06-30 (www-tag@w3.org from June 2007)

From: John Cowan <cowan@ccil.org>
Date: Sat, 30 Jun 2007 14:09:39 -0400
To: David Orchard <dorchard@bea.com>
Cc: John Cowan <cowan@ccil.org>, "Williams, Stuart (HP Labs, Bristol)" <skw@hp.com>, Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>, www-tag@w3.org, "Rice, Ed (ProCurve)" <ed.rice@hp.com>
Message-ID: <20070630180939.GB29402@mercury.ccil.org>

David Orchard scripsit:

> I think it would be hard for a browser to tell the difference between
> low-security and non-low-security sites.  So trying to have the browser
> do something for the non-low-security sites and avoid prompting on
> low-security seems impossible.  

To me, only my bank is a truly high-security site (I realize that
others have other needs), and they already don't send passwords in 
the clear, and indeed take other anti-phishing precautions.

There are a few sites (all of which use https) where if my password
were to be compromised (and there are many routes to compromise
much simpler than reading even unencrypted traffic) things could be
charged to my credit card, but I can and would repudiate the charges.

I prefer things as they are.

> I think that the people that don't want to be prompted and know that the
> site is low security is in a very small majority of the users of the
> web.  

(Do you mean "very small minority"?)

People who don't want to be prompted are a great majority of people
everywhere: it is well-known that perpetually warning about a risk
dulls people to the warning to the point where they often start
clicking "OK" on even more seriously risky warnings.

> This would help any of the users of the non-low-security sites and
> perhaps prompt them to raise their security.  Who knows, maybe also the
> low-security sites would raise their security level to avoid the UA's
> advising about their password transfers.

That way leads inexorably to a Web in which all transactions are
secured, which means that nothing is anonymous.  This I hold to be a
Bad Thing.

-- 
John  Cowan  http://ccil.org/~cowan   cowan@ccil.org
'My young friend, if you do not now, immediately and instantly, pull
as hard as ever you can, it is my opinion that your acquaintance in the
large-pattern leather ulster' (and by this he meant the Crocodile) 'will
jerk you into yonder limpid stream before you can say Jack Robinson.'
        --the Bi-Coloured-Python-Rock-Snake

Received on Saturday, 30 June 2007 18:10:45 UTC