[whatwg] Solving the login/logout problem in HTML

On Wed, 26 Nov 2008, Kornel Lesinski wrote:
> On Tue, 25 Nov 2008 05:26:47 -0000, Ian Hickson <ian at hixie.ch> wrote:
> > > 
> > > http://www.w3.org/TR/1999/NOTE-authentform-19990203
> [...]
> > I don't really understand what problem the above solves that isn't solved
> > better by SSL.
> I agree that if real security is desired, SSL is the only way to go. 
> However given that most login forms on the web send passwords in the 
> clear, other problems were more important than security.
> Form + Digest avoids these SSL problems:
> * Does not negatively impact performance. In TLS handshake lots of messages
> are going back and forth, so this can't be fixed by beefing up servers' CPUs.

This is also the case with form authentication.

> * Does not need access to server's configuration, and generation, installation
> and renewal of certificates. Redistributable software can support it out of
> the box, on almost any server, without manual installation steps.

Form authentication is even easier to support than Digest auth.

> Additionally, it's better than new "WWW-Authenticate: HTML" 
> authentication mechanism:
> * It's compatible with existing non-HTML HTTP clients.


> * Although its security is weak compared to SSL, it's a step up from forms +
> cookies.

Not really. If you can sniff the password from forms + cookies, then you 
can almost always also MitM a Digest connection, after which point you 
have basically lost.

> * It's easier to sell: "It will allow bots to log in" doesn't sound very 
> desirable. "It will protect your users' passwords against passive 
> eavesdropping" sounds better.

Unfortunately, both of those advantages pale in comparison to "you can 
style your login form", which is the real advantage of "WWW-Authenticate: 
HTML" and (in particular) HTML form authentication.

> I don't think "WWW-Authenticate: HTML" is a significant improvement. It 
> doesn't offer anything to existing websites/browsers. It's primarily 
> targetted for non-browser UAs, but it's not compatible with them. If UAs 
> are required to parse HTML, they could as well look for form with a 
> single password field.

I agree that it's not that great. But it is slightly better than nothing, 
and the cost to support this is pretty minimal.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Tuesday, 25 November 2008 17:21:46 UTC