Idea for securityfix in HTML from Xatr0z on 2002-11-15 (www-forms@w3.org from November 2002)

From: Xatr0z <xatr0z@home.nl>
Date: Fri, 15 Nov 2002 23:04:18 +0100
To: <www-forms@w3.org>, <www-html@w3.org>, <www-html-editor@w3.org>
Message-ID: <00c501c28cf2$f4c7bc20$44b479d9@emmen1.dr.home.nl>

Hello,

We have got an idea for an securityfix in HTML. When people send sensitive
information with HTML forms, this information can be read. This is very
insecure,
just like the FTP protocol sends passwords without encryption. This is also
the reason that a lot of WWWebsites are using https:// instead of http://.

A normal HTML form which allows a user to login to a system, could look
like this:


<form action=3D"http://www.wwwebsite.com/script.cgi" method=3D"POST">
        Insert your username
        <input type=3D"TEXT" name=3D"username"/>
        <br />
        Insert your password:
        <input type=3D"PASSWORD" name=3D"password"/>
        <input type=3D"SUBMIT" name=3D"SUBMIT" value=3D"SUBMIT"/>
</form>


All this information is send without any encryption. We suggest to add
the following attribute to the <INPUT> tag. Like this:


<form action=3D"http://www.wwwebsite.com/script.cgi" method=3D"POST">
        Insert your username:
        <input type=3D"TEXT" name=3D"username" crypt=3D"ROT13"/>
        <br />
         Insert your password:
         <input type=3D"PASSWORD" name=3D"password" crypt=3D"MD5"/>
         <input type=3D"SUBMIT" name=3D"SUBMIT" value=3D"SUBMIT"/>
</form>


This attribute, crypt, could have values like "MD5" (for MD5 encryption),
"ROT13", or "Base64". The values of the <INPUT> tag should be encrypted
by the HTTP client, and send to the HTTP server. Also, there should be a
method to take a checksum from a file uploaded to the HTTP server.

We suggest to create a method which allows the HTTP client to send the file
AND the checksum in one <INPUT> tag, otherwise, people who are using the
HTTP client have to insert the filename twice, to upload the file, and to
send the checksum. The idea of sending checksums is great for the
HTTP server to determine if the uploaded file is send well.

We hope this idea will be included in the W3C standards of HTML and XHTML.



Regards,

D. Willems "Xatr0z" <xatr0z at users.sourceforge.net>

and

M. Verbeek "K!LLER" <system_error at pandora.be>

Received on Friday, 15 November 2002 17:11:43 UTC