- From: Amir Herzberg <amir.herzberg@gmail.com>
- Date: Fri, 14 Jul 2006 10:59:22 +0300
- To: spam filter <spam@jeff-nelson.com>
- CC: Jörg Schwenk <joerg.schwenk@ruhr-uni-bochum.de>, public-usable-authentication@w3.org
spam filter wrote: > On 6/15/06, Amir Herzberg <amir.herzberg@gmail.com> wrote: >> Another thing which would have been really nice is a standard definition >> of the sensitive fields (password, cc#, etc...) - like ECML (rest in >> peace :-) ) but that is not as difficult to do by hand... > > This is an important area which is largely not addressed yet. We need > indicators for mutual authentication and session to prevent session > takeover attacks and validate identity of the remote server. > > For example, a user can be made to authenticate to her bank, but > through a XSS attack, that session can be taken over by an attacker in > order to request sensative information. If the bank proves its > identity after authentication and throughout the session, such attacks > could be preventable. Absolutely, and more: such XSS attacks can be launched even against existing automated login mechanisms (pw managers). This can be prevented if sites provide the necessary details to allow the pw managers to send the login credentials over secure connection (not via form submit), or using an appropriate secure protocol. What I recommend is standardization of appropriate <META> info that will allow the client-side code (login manager) to use the appropriate secure mechanism. I believe this goal is widely supported in this group and I think Thomas does think of it as part of the charter (is it not clear enough from the text?) Best, Amir > > - Jeff >
Received on Friday, 14 July 2006 08:00:25 UTC