- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 26 Jan 2009 18:47:25 -0800
- To: Adrien de Croy <adrien@qbik.com>
- Cc: ietf-http-wg@w3.org
On Mon, Jan 26, 2009 at 6:46 PM, Adrien de Croy <adrien@qbik.com> wrote: >>> Adam Barth wrote: >>>> It is impossible to secure all the users who visit your Web site. You >>>> cannot secure users with IE5 or Firefox 1.0, for example. [snip] > I was referring to a secure system that does not rely on secrecy, since we > all know that secrecy is not security. > > E.g. some sort of random token + hashing, where you pass a token to the > browser, it does something to it (e.g. in script), and passes the result > back. > > one that can't be forged, and can't be replayed These browsers are unable to distinguish "your site" from "the attacker's site." Anything that your site can do, the attacker can do on behalf of your site. It's as if your site has an XSS vulnerability that you cannot patch. Adam
Received on Tuesday, 27 January 2009 02:47:59 UTC