- From: Chris Drake <christopher@pobox.com>
- Date: Sun, 16 Jul 2006 19:06:43 +1000
- To: public-usable-authentication@w3.org
>> Chris Drake wrote: >> > XSS can steal anything - passwords, pw-manager >> > credentials, and/or cookies - discussion of >> > HTTPS/pw-manager/etc as some kind of solution to XSS >> > simply makes no sense whatsoever. >> >> Cross site scripting cannot steal something if the >> script is not handling the information, but merely >> triggering other software to obtain and send the data. AH> Exactly. Hence, XSS can steal pw from form-filling pw-managers but not AH> from pw-managers that do the login directly, using HTTPS GET/PUT or AH> using other protocols (that may have advantage of not disclosing pw to a AH> spoofed server - which may be a concern even when using HTTPS, at least AH> in some cases). XSS can steal *anything* that the browser can access - so unless you want to bar the browser from accessing a web site - no amount of jiggery pokery with widgets to handle the login is going to solve anything - ultimately - the browser *has* to be involved, otherwise the visitor (or hacker driving the XSS script) can't *use* the web site. Something has to communicate to the browser that the login can now "go ahead" - hackers don't care if this is a password, token, cookie, session key, nonce, or whatever - they're just going to steal it with the XSS and put you right back where you started from: Vulnerable. Regardless. And that's not even *starting* on the fact that XSS is just one of about 100 different things they can do to accomplish their goals... Chris. Chrome: (Plated, via process) - The artificial outer surface disguising blemishes and faults in the underlying material.
Received on Sunday, 16 July 2006 14:35:35 UTC