- From: James A. Donald <jamesd@echeque.com>
- Date: Sat, 15 Jul 2006 13:46:58 +1000
- CC: public-usable-authentication@w3.org
--
Amir Herzberg wrote:
> such XSS attacks can be launched even against existing
> automated login mechanisms (pw managers). This can be
> prevented if sites provide the necessary details to
> allow the pw managers to send the login credentials
> over secure connection (not via form submit)
What do you have in mind that is better than form submit
over an HTTPS connection?
> or using an appropriate secure protocol.
Such as?
One problem with the existing system is that people
prove knowledge of shared secrets by revealing them to
someone else who (supposedly) already knows them. Shared
secrets should never be revealed. Rather, those holding
the shared secrets should prove to each other knowledge
of them. I suspect you have in mind intent to fix this
problem, but are being coy because it is off topic or
something.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
Ahcsqo0pQ5PJ3au7l5qPz6qIbAx3RtAr5lPSTHeR
4Wi0wKg1xnkRUKjoaQ9+FrNFoxcDOb+JWLHCXI6nz
Received on Saturday, 15 July 2006 09:31:41 UTC