W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2010

[whatwg] meta="encrypt" tag is needed

From: <juuso_html5@tele3d.net>
Date: Thu, 06 May 2010 12:44:18 +0000
Message-ID: <20100506124418.503460tdnssh1pr6@webmail-srv2.servage.net>
<meta="encrypt" pubkey="ABABAEFEF2626EFEFEF"  
pubtool="EC256-AES|RSA2048-AES" passsalt="no|domainname"  
auth="verisign">

Please try to fully decrypt the above meta-encrypt tag and *see* how  
the browser-server communication could utilize it. (HINT: browser  
submits a (session specific) 256bit elliptic curve public key to the  
server inside every URI-request AND if the target page has  
meta-encrypt tag, the server uses the  browser's elliptic curve key  
and encrypts the page content with that.) It is very simple, doable  
and STATELESS. And in html5 it would eliminate some of the biggest  
real life security threats at the internet. If you *could* learn and  
instinctly use the above meta-encrypt tag then it should be enough  
simple for actual usage.

yes, this suggestion maybe a bit radical, so lets try to find the  
positive things first. Meaning if you don't understand or like the  
structure immediately shut up and let those who see the light to  
express themselves first.

Ok, let me start with the passsalt:

passsalt => salts the password-field value into => SHA-256($password) format

I think the passsalt="(no|domainname)" attribute should also be added  
as a form parameter (with a default value lowercase domain name).  
Passsalt attribute would prevent the site getting a plain text  
password as the browser would 'salt' it by default with a domain name  
string. Thus when internet users anyway
use the same passwords on multiple sites, the passsalt will eliminate  
hacking into various online accounts user has.
Real life examples & reasons for adding passsalt to html5
1) A finnish site alypaa.com got hacked a month ago. The hacker stole  
some 100,000 (unencrypted) user passwords from their database. But  
what media noticed first were that many leading politicians had got  
their blogs, home pages and Facebook pages defaced.
2) Couple of weeks ago a Russian hacker was selling his user names &  
passwords for 1.5 million Facebook accounts.
3) a week ago a new data protection law for Massachusetts was  
suggested, basically it says personally identifiable information (that  
is usable for identity theft crimes) about Massachusetts residents may  
not be stolen or _you_ will get a fine of $5,000 per breach or lost  
record.

http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf

It can be expected that the laws around the world will be going to  
that direction as the identity theft problem keeps getting worse. That  
passsalt attribute alone would eliminate LOTS of identity thefts and  
it is easily doable.

Ok, try to hack the rest of that *beautiful* <meta="encrypt" tag, and  
please don't say you instead you can use https / JS or some other  
thing that JUST DOESN'T WORK in real life.

Juuso Hukkanen
www.colordev.com
Received on Thursday, 6 May 2010 05:44:18 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:23 UTC