- From: Philip Taylor <excors+whatwg@gmail.com>
- Date: Tue, 21 Oct 2008 14:46:43 +0100
On Tue, Oct 21, 2008 at 2:16 PM, Aaron Swartz <me at aaronsw.com> wrote: > The most common way of authenticating to web applications is: > > Client: GET /login > Server: <html><form method="post">.... > Client: POST /login > user=joesmith01&password=secret > Server: 200 OK > Set-Cookie: acct=joesmith01,2008-10-21,sj89d89asd89s8d > > [...] > > My proposal: add something to HTML5 so that the transaction looks like this: > > Client: GET /login > Server: <html><form method="post" pubkey="/pubkey.key">... > Client: POST /login > dXNlcj1qb2VzbWl0aDAxJnBhc3N3b3JkPXNlY3JldA== > Server: 200 OK > Set-Cookie: acct=joesmith01,2008-10-21,sj89d89asd89s8d > > where the base64 string is the form data encrypted with the key > downloaded from /pubkey.key. As I understand it: As an attacker, I can intercept that "dXN..." string. Then I can simply make a login POST request myself at any time in the future, sending the same encrypted string, and will get the valid login cookies even though I don't know the password. So it doesn't seem to work very well at keeping me out of the user's account. Also this seems vulnerable to dictionary attacks, e.g. I can easily encrypt "user=joesmith01&password=..." for every word in the dictionary and will probably discover the user's password. -- Philip Taylor excors at gmail.com
Received on Tuesday, 21 October 2008 06:46:43 UTC