- From: Aaron Swartz <me@aaronsw.com>
- Date: Tue, 21 Oct 2008 09:16:25 -0400
The most common way of authenticating to web applications is: Client: GET /login Server: <html><form method="post">.... Client: POST /login user=joesmith01&password=secret Server: 200 OK Set-Cookie: acct=joesmith01,2008-10-21,sj89d89asd89s8d The obvious problem with this is that passwords are transferred in the clear. Some major web services redirect the user to an SSL server for the login transaction, but SSL is too expensive for the vast majority of services. (We can hope ObsTCP will fix this, but that's a long way away, if ever.) Another alternative is HTTP Digest authentication, but I vaguely remember Hixie saying it was insecure and, in any event, most Web services will not adopt it because the browser UI isn't customizable. My proposal: add something to HTML5 so that the transaction looks like this: Client: GET /login Server: <html><form method="post" pubkey="/pubkey.key">... Client: POST /login dXNlcj1qb2VzbWl0aDAxJnBhc3N3b3JkPXNlY3JldA== Server: 200 OK Set-Cookie: acct=joesmith01,2008-10-21,sj89d89asd89s8d where the base64 string is the form data encrypted with the key downloaded from /pubkey.key. This should be fairly easy to implement (for clients and servers), falls back to exactly the current behavior on browsers that don't support it, and solves a rather important problem on the Web.
Received on Tuesday, 21 October 2008 06:16:25 UTC