[whatwg] webforms2: new hash attribute for input ? from Julien TOUCHE on 2007-08-16 (public-whatwg-archive@w3.org from August 2007)

From: Julien TOUCHE <julien.touche@lycos.com>
Date: Thu, 16 Aug 2007 20:49:27 +0200
Message-ID: <46C49C37.6070608@lycos.com>

Kornel Lesinski wrote on 15/08/07 23:57:
>> <input type="password" hash="sha256" name="mypass" />
>>         so the browser transmits only the corresponding hash of the
>> given value.
> 
> Unfortunately this will not secure browsing session, because once user
> is authenticated, server will have to use cookies which could be stolen
> and used to impersonate the user.

cookies are another part of the problem which needs to be secured too
(httpOnly, secure, limited to one IP, and so on ... but could be
overcome too)

here, i want to address one type of attack which is form grabbing

> 
> 
> My suggestion is to kill two birds with one stone by marrying forms with
> Digest authentication (RFC 2617).

it is one way to achieve above hash passwd, if it could be integrated in
a standard html fashion.
Still need to standardize other algorithm than in rfc2617 which
specifies only md5 (better to add sha1/sha256/sha512)
rfc2617 also defines a salt-like with nonce, which is a very good point,
 but it seems to give the same problem said in first mail: it need
server to have passwd in clear to be able to compare against a changing
hash (if nonce is used) ...

> 
> Digest is already implemented in browsers, doesn't require storage of
> unhashed passwords, 
on the client side.

> protects entire browsing session (with integrity
> checking of payload and stopping replay attacks) 
a very good point, but need nonce.

> The dealbreaker in current Digest implementations is the user interface
> - looks unfriendly, can't be customized, website can't offer account
> registration until user cancels login and there's no logout mechanism.

another problem is you can't block brute attacks. banks account are, in
general, blocked if you miss them 3 times and after you need to call the
bank.


> UI for logging out could be as simple as <button type=logout>, however
> implementation details are probably outside scope of HTML 5.

there is logout, but also need a maxattempts attributes

Else, except the ones mention in the rfc
(http://www.faqs.org/rfcs/rfc2617), i don't if there are more advanced
attacks which need to be thought before ...


Regards

		Julien

Received on Thursday, 16 August 2007 11:49:27 UTC