- From: <bugzilla@jessica.w3.org>
- Date: Fri, 04 Mar 2011 02:22:22 +0000
- To: public-html-bugzilla@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=11912 Jeremy <jeremy@blazonco.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #13 from Jeremy <jeremy@blazonco.com> 2011-03-04 02:22:21 UTC --- (In reply to comment #12) > Incidentally, zewt on #whatwg pointed out you can get all the security benefits > of your scheme using cookies: > > <zewt> (AryehGregor: not necessarily useful to that person, but if I really > needed that, I'd probably do something along the lines of storing an encrypted > password in the cookie with a key on the server, so the server can decrypt it > for each request and then throw it away) > > That way the server still doesn't have to store any credential info that an > attacker could profitably compromise. 1. For the spoofing attack, now I just have to figure out where you store the key. Or are you generating a new key on each request? No matter how many levels of indirection you put between me and the stored session key, I can still get to it. There is simply no way to make it impossible; only really hard. 2. You're still storing your database credentials using this mechanism. Anyway, Hixie has made the decision. If he doesn't see what I'm trying to say then I doubt anyone else on the WG would. What a shame - we had a chance here to provide a way to pass credentials directly from the user's brain to backend services without having to store them on the web server. Would have been great for security; in fact I think it would have soon become an industry-wide best practice if the UA support was there. Oh well. I'll set it to CLOSED. -- Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug.
Received on Friday, 4 March 2011 02:22:23 UTC