W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2010

[whatwg] meta="encrypt" tag is needed

From: And Clover <and-py@doxdesk.com>
Date: Mon, 10 May 2010 13:08:21 +0200
Message-ID: <4BE7E925.6090505@doxdesk.com>
On 05/07/2010 07:06 PM, Juuso Hukkanen wrote:

> the auth="verisign" argument, which _is_ enough to prevent all practical
> (,even if they are all theoretical!,) man-in-the-middle attacks.

No it doesn't. The initial page load stage is by necessity unencrypted, 
and so an active MitM attack could simply remove the tag, or add a JS 
keylogged script to the page, or whatever other method an attacker might 
choose. Unless the user is expected to view source and check every last 
byte of the page and scripts used in it (which will never happen), they 
have no way to know their communications are secure.

In any case, if you add CAs, your proposal becomes just as 'heavy' as 
HTTPS. What advantage does your proposal have over HTTPS, then? Because 
it appears to have many disadvantages.

As for password 'salting', client-side challenge-response authentication 
is already addressed much more securely by Digest Authentication, 
Kerberos, or JS approaches. And if you have HTTPS, it's not really so 
bad to send a plain password to the server, which will hopefully 
hash/salt it itself. You have to send a plain password in order to set 
it in the first place anyway.

> <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">

Don't do that. That's a basic, beginner-author XSS vulnerability.

-- 
And Clover
mailto:and at doxdesk.com
http://www.doxdesk.com/
Received on Monday, 10 May 2010 04:08:21 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:23 UTC