- From: Bud Hovell <bud@uzix.com>
- Date: Thu, 27 Dec 2001 11:49:40 -0800
- To: Martin Duerst <duerst@w3.org>
- CC: <www-validator@w3.org>, <nick@webthing.com>
Hi, Martin ... > >That's the crux of the matter: this was never a "security problem" > to > >begin with. The mouse has stampeded the elephant. > > I beg to disagree. It may not be that much of a security problem > in actual practice, but it's definitely very much a privacy Then it shouldn't be presented as a "security" problem, which it apparently is not, as a practical matter. Since the same information is involved, the "privacy" problem cannot be of any greater magnitude. QED If it's really some kind of "privacy" concern, then it's odd this argument was never presented at any time prior. (Not that there was any real discussion about the proposed "solution" and its consequences before it was silently imposed -- as in the case of new charset restrictions not defined by the 4.0x standard.) > problem. Sending off logins and passwords for one site to > another arbitrary site isn't something I would ever expect > any Web service to do, period. If a big company would get > cought doing this (accidentally or not), there might be a > big outcry. Unexpected behaviors -- or unexpected changes of behavior -- often cause a big outcry. The response to such an outcry is the measure of the organization to whom they are directed. > And I don't think 'telling the user about it' > would help; please think about whether you would use the > validator if it said "Please note that if you validate > pages on different sites (more exactly: in different > realms), your browser will send the same user name and > password that you entered for the first site to all > subsequent sites." If this were the behavior selected by the administrator, I see nothing wrong with this approach under some (optional, non-default) conditions. I'm also unsure how the proposed solution of passing along the Realm name, in addition to the login id and password, enhances either security or privacy except to the extent it makes more unlikely the already unlikely "lucky strike" on a page at a second server where the username and password happened to be exactly the same. (The chances the same user didn't also have access permission on this second server are near-zero, of course, unless password discipline on both servers is so minimal as to render security entirely meaningless, anyhow.) > We make > >available anonymous logins where the username/password are random > strings > >unknown to the users logging in (who thus need not reveal any > personal > >identifying information.) Once inside, such a user lacks the > necessary > >password information to fulfill an authentication request. > > How do the users get into the site without ever knowing > a password? Is that some little-known feature of HTTP > authentication, some script hack, or something else? Scripting. And they don't need a password to get into the site -- only to log into an individual account on that site. > >And the extra > >hand-motion required entirely defeats the immediacy of one-click > >validation. > > I think you could easily get back there by redirecting the > user to the W3C validator. If you know how to get passwords > into the browser, you just have to calculate the realm that > the validator is going to use, or don't you? The problem, of course, is that the Validator has already munged the Realm name -- which is why the server presents the authentication box -- so there is no possibility of validating it by hand-entering the correct login id and password. Checkmate. Our reaction has been to simply remove validation from protected pages and move on. We see little benefit from further after-the-fact debate about a vague concern which appears to be a moving target of infinitely small magnitude on the distant horizon. The Validator service will continue to be offered at our sites for all other (which is to say most) pages until we have more time to address the matter permanently. We do appreciate that much skill and effort that has gone into providing the Validator service (which we use constantly for development), and wish happy holidays to all those who have helped bring it to reality. Regards, Bud Hovell
Received on Thursday, 27 December 2001 14:54:50 UTC