- From: <bugzilla@jessica.w3.org>
- Date: Fri, 04 Mar 2011 02:22:22 +0000
- To: public-html-bugzilla@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=11912
Jeremy <jeremy@blazonco.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #13 from Jeremy <jeremy@blazonco.com> 2011-03-04 02:22:21 UTC ---
(In reply to comment #12)
> Incidentally, zewt on #whatwg pointed out you can get all the security benefits
> of your scheme using cookies:
>
> <zewt> (AryehGregor: not necessarily useful to that person, but if I really
> needed that, I'd probably do something along the lines of storing an encrypted
> password in the cookie with a key on the server, so the server can decrypt it
> for each request and then throw it away)
>
> That way the server still doesn't have to store any credential info that an
> attacker could profitably compromise.
1. For the spoofing attack, now I just have to figure out where you store the
key. Or are you generating a new key on each request? No matter how many
levels of indirection you put between me and the stored session key, I can
still get to it. There is simply no way to make it impossible; only really
hard.
2. You're still storing your database credentials using this mechanism.
Anyway, Hixie has made the decision. If he doesn't see what I'm trying to say
then I doubt anyone else on the WG would. What a shame - we had a chance here
to provide a way to pass credentials directly from the user's brain to backend
services without having to store them on the web server. Would have been great
for security; in fact I think it would have soon become an industry-wide best
practice if the UA support was there. Oh well. I'll set it to CLOSED.
--
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Friday, 4 March 2011 02:22:23 UTC