RE: Proposed Final Review of W3C TAG Finding "Passwords in the Clear" from Justin James on 2008-06-25 (public-html@w3.org from June 2008)

From: Justin James <j_james@mindspring.com>
Date: Wed, 25 Jun 2008 00:22:00 -0400
To: "'Ian Hickson'" <ian@hixie.ch>, "'David Orchard'" <orchard@pacificspirit.com>
Cc: <public-html@w3.org>
Message-ID: <0a5901c8d67b$03cedff0$0b6c9fd0$@com>

So, anyone not using HTTP 403 style authentication with Digest must use SSL?
I really do not see this happening. There are far too many sites in which
the capture of a password is fairly unimportant and/or the owners of the
site cannot afford an SSL certificate. Additionally, to enforce this at the
browser level with the "MUST NOT" phrasing is unrealistic; I can't imagine a
browser vendor "breaking" a huge number of Web sites like that. This is
impossible to enforce anyways... how do you know that a piece of client-side
JavaScript is not performing a one-way hashing before sending it? Finally,
this draft does not specify a minimum level of protection... I am sure that
if someone just did a lame "encryption" like doing a bitwise XOR of the
password, they would meet the spec to the letter, but not only violate the
spirit, but also have zero protection beyond clear text.

I can understand the reasoning behind the desire for this proposal, but it
is too flawed. It would have been a good idea in 1993, but now that the
"genie is out of the bottle" on this one, I don't think that we'll ever get
it back in, unless SSL becomes standard for all servers and trusted
certificates become free, or if HTML adds a password widget that pre-hashes
the password.

J.Ja

-----Original Message-----
From: public-html-request@w3.org [mailto:public-html-request@w3.org] On
Behalf Of Ian Hickson
Sent: Tuesday, June 24, 2008 8:19 PM
To: David Orchard
Cc: public-html@w3.org
Subject: Re: Proposed Final Review of W3C TAG Finding "Passwords in the
Clear"

On Tue, 24 Jun 2008, David Orchard wrote:
> 
> On behalf of the W3C TAG, I would like to solicit a final review of the 
> Draft TAG finding "Passwords in the Clear" [1].  Comments on this draft 
> should be posted to www-tag@w3.org and are appreciated.  I'd like to 
> suggest July 18th 2008 as a rough timeframe for comments.
> 
> [1] http://www.w3.org/2001/tag/doc/passwordsInTheClear-52

The spirit of the document seems very much in the right place. It isn't 
clear what is meant by "A client or browser MUST NOT transmit passwords in 
clear text.", however. For example, every connection to a member page of 
the W3C site requires sending a plain text password. If a browser stopped 
sending passwords in plain text, it would not be usable by W3C members.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 25 June 2008 04:23:05 UTC