- From: Anil Saldhana <Anil.Saldhana@redhat.com>
- Date: Mon, 25 Jun 2007 14:10:02 -0500
- To: yngve@opera.com
- CC: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>, public-wsc-wg@w3.org
I would not consider BASIC, DIGEST, NTLM as anywhere near secure. Yngve Nysaeter Pettersen wrote: > > On Mon, 25 Jun 2007 15:17:29 +0200, Mary Ellen Zurko > <Mary_Ellen_Zurko@notesdev.ibm.com> wrote: > >> What do we have in our set of proposals that addresses trust decisions >> posed by Basic Authentication? The realm information (within the modal >> dialog in the browser I use) is set by the web site. The browser I use >> puts the domain in the title bar. When I have the resolution on my >> display >> cranked down to increase the size of everything (something I do more and >> more these days), the most pertinent part of the domain is truncated >> from >> the right hand side of the dialog's title display. I very much want to >> know that the domain ends in "ibm.com" when I think I'm typing in my IBM >> password. What, if anything, do we have in our proposals that addresses >> this? > > I don't recall having seen anything about this, at least major > discussion. > > I think a discussion of this should not be limited to Basic, but > should include the other methods, such as Digest and NTLM/Negotiate, > as well. > > Opera displays the servername as a field inside the dialog, as well as > the realm, which is presented as a message from the server. > > We are currently considering what we display in this dialog and how it > is displayed, from both a usability and a security point of view. > > Parts of what is being considered are: > > - How to present the security of the credential transmission > > - How to present the identity (at least the hostname) of who is > asking for the credentials in a usable manner. This is a problem that > is not restricted to authentication, but extends to such areas as the > display of the URL in address bar and determining if two servers are > allowed to share cookies. See references below for some discussion and > background on that. > > > http://my.opera.com/yngve/blog/show.dml/267415 > http://weblogs.mozillazine.org/gerv/archives/2007/01/effective_tld_list_help_wanted.html > > http://wiki.mozilla.org/Gecko:Effective_TLD_Service > > > -- Anil Saldhana Project/Technical Lead, JBoss Security & Identity Management JBoss, A division of Red Hat Inc. http://labs.jboss.com/portal/jbosssecurity/
Received on Monday, 25 June 2007 19:10:38 UTC