W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2007

[whatwg] webforms2: new hash attribute for input ?

From: Julien TOUCHE <julien.touche@lycos.com>
Date: Wed, 15 Aug 2007 17:08:51 +0200
Message-ID: <46C31703.8010901@lycos.com>
Hi

I want to sugges some new attributes related to security of the form for
Web Forms 2, XForms and HTML 5.
http://www.w3.org/TR/web-forms-2/


Example:
<input type="password" hash="sha256" name="mypass" />
        so the browser transmits only the corresponding hash of the
given value.

Also, as we need to avoid to transform hash as a simple password, server
need to propose one-time salt for the client like this
<input type="password" hash="sha256" salt="123456" name="mypass" />
in order to avoid crackers to submit directly the hash to servers.

It could be seen as the same alternative as apache mod_auth and
mod_auth_digest. It does not remove the need for https, but improve
security on one layer.
Why ? Avoid form grabbing on browser from current malware which can
intercept GET and POST request even on https. (you could do the same
with firefox and "Live HTTP Headers" extension)
Today, the only alternative is to use javascript or java to hash
password, which is hardly done by banks and never outside.
Including in w3 standard, would give it a better exposure.

As standard advice, following hash needs to be included in spec:
sha256/512 and legacy md5/sha1 (market will add others if needed)

thanks
Regards

	/julien


Note: problem of passwd + salt => it needs to have a cleartext password
in server database as the hash will depend on the salt. Else we can use
some ugly hack like client hashing password without salt to gain server
hash, adding one time salt, and hashing again to gain a
one-time-password which could be compared on the server and not used by
a cracker ... to be discussed to have a reliable implementation.
Received on Wednesday, 15 August 2007 08:08:51 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:36 UTC