W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2008

[whatwg] fixing the authentication problem

From: Philip Taylor <excors+whatwg@gmail.com>
Date: Tue, 21 Oct 2008 14:46:43 +0100
Message-ID: <ea09c0d10810210646t22ddb702iaacbea273927fc78@mail.gmail.com>
On Tue, Oct 21, 2008 at 2:16 PM, Aaron Swartz <me at aaronsw.com> wrote:
> The most common way of authenticating to web applications is:
>
> Client: GET /login
> Server: <html><form method="post">....
> Client: POST /login
> user=joesmith01&password=secret
> Server: 200 OK
> Set-Cookie: acct=joesmith01,2008-10-21,sj89d89asd89s8d
>
> [...]
>
> My proposal: add something to HTML5 so that the transaction looks like this:
>
> Client: GET /login
> Server: <html><form method="post" pubkey="/pubkey.key">...
> Client: POST /login
> dXNlcj1qb2VzbWl0aDAxJnBhc3N3b3JkPXNlY3JldA==
> Server: 200 OK
> Set-Cookie: acct=joesmith01,2008-10-21,sj89d89asd89s8d
>
> where the base64 string is the form data encrypted with the key
> downloaded from /pubkey.key.

As I understand it: As an attacker, I can intercept that "dXN..."
string. Then I can simply make a login POST request myself at any time
in the future, sending the same encrypted string, and will get the
valid login cookies even though I don't know the password. So it
doesn't seem to work very well at keeping me out of the user's
account. Also this seems vulnerable to dictionary attacks, e.g. I can
easily encrypt "user=joesmith01&password=..." for every word in the
dictionary and will probably discover the user's password.

-- 
Philip Taylor
excors at gmail.com
Received on Tuesday, 21 October 2008 06:46:43 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:06 UTC