W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2008

[whatwg] fixing the authentication problem

From: Aaron Swartz <me@aaronsw.com>
Date: Tue, 21 Oct 2008 09:52:56 -0400
Message-ID: <dc21c7860810210652w586e51edq50cfbc6f4b6a53e@mail.gmail.com>
> As I understand it: As an attacker, I can intercept that "dXN..."
> string. Then I can simply make a login POST request myself at any time
> in the future, sending the same encrypted string, and will get the
> valid login cookies even though I don't know the password. So it
> doesn't seem to work very well at keeping me out of the user's
> account. Also this seems vulnerable to dictionary attacks, e.g. I can
> easily encrypt "user=joesmith01&password=..." for every word in the
> dictionary and will probably discover the user's password.

I was simplifying; in real life, I expect the server will include a
nonce with the form (as a hidden input), which they'll only permit to
be used once. (I also expect their cookie will have an ID that maps to
the username instead of the actual username. Or they'll just have the
cookie encrypted entirely instead of using an HMAC.) This, of course,
doesn't affect the HTML spec.
Received on Tuesday, 21 October 2008 06:52:56 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:06 UTC