- From: Julien TOUCHE <julien.touche@lycos.com>
- Date: Wed, 15 Aug 2007 17:08:51 +0200
Hi I want to sugges some new attributes related to security of the form for Web Forms 2, XForms and HTML 5. http://www.w3.org/TR/web-forms-2/ Example: <input type="password" hash="sha256" name="mypass" /> so the browser transmits only the corresponding hash of the given value. Also, as we need to avoid to transform hash as a simple password, server need to propose one-time salt for the client like this <input type="password" hash="sha256" salt="123456" name="mypass" /> in order to avoid crackers to submit directly the hash to servers. It could be seen as the same alternative as apache mod_auth and mod_auth_digest. It does not remove the need for https, but improve security on one layer. Why ? Avoid form grabbing on browser from current malware which can intercept GET and POST request even on https. (you could do the same with firefox and "Live HTTP Headers" extension) Today, the only alternative is to use javascript or java to hash password, which is hardly done by banks and never outside. Including in w3 standard, would give it a better exposure. As standard advice, following hash needs to be included in spec: sha256/512 and legacy md5/sha1 (market will add others if needed) thanks Regards /julien Note: problem of passwd + salt => it needs to have a cleartext password in server database as the hash will depend on the salt. Else we can use some ugly hack like client hashing password without salt to gain server hash, adding one time salt, and hashing again to gain a one-time-password which could be compared on the server and not used by a cracker ... to be discussed to have a reliable implementation.
Received on Wednesday, 15 August 2007 08:08:51 UTC