W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2008

[whatwg] fixing the authentication problem

From: Kornel Lesinski <kornel@geekhood.net>
Date: Tue, 21 Oct 2008 20:07:35 +0100
Message-ID: <op.ujd12xozptj49s@aimac.local>

You're re-inventing Digest authentication (RFC 2617).

Digest has two-way authentication with hashed challenge-response, nonces,  
can use passwords stored as hashes (though not as secure as storage for  
plaintext auth), avoids insecurity of cookies and even has simple data  
integrity verification.

...and it's all futile if attacker can modify a single byte sent over the  

Anyway, it doesn't make sense to duplicate all that functionality in forms  
just because typical interface for HTTP authentication is ugly and  
unusable. You can fix the interface, and there's proposal for it already  
(from 1999!):

I think that proposal is generally a good idea, but the details could be  
improved (i.e. should reuse existing forms and input types rather than  
creating new ones that can't offer seamless fallback).

regards, Kornel Lesinski
Received on Tuesday, 21 October 2008 12:07:35 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:06 UTC