- From: Xatr0z <xatr0z@home.nl>
- Date: Fri, 15 Nov 2002 23:04:18 +0100
- To: <www-forms@w3.org>, <www-html@w3.org>, <www-html-editor@w3.org>
Hello, We have got an idea for an securityfix in HTML. When people send sensitive information with HTML forms, this information can be read. This is very insecure, just like the FTP protocol sends passwords without encryption. This is also the reason that a lot of WWWebsites are using https:// instead of http://. A normal HTML form which allows a user to login to a system, could look like this: <form action=3D"http://www.wwwebsite.com/script.cgi" method=3D"POST"> Insert your username <input type=3D"TEXT" name=3D"username"/> <br /> Insert your password: <input type=3D"PASSWORD" name=3D"password"/> <input type=3D"SUBMIT" name=3D"SUBMIT" value=3D"SUBMIT"/> </form> All this information is send without any encryption. We suggest to add the following attribute to the <INPUT> tag. Like this: <form action=3D"http://www.wwwebsite.com/script.cgi" method=3D"POST"> Insert your username: <input type=3D"TEXT" name=3D"username" crypt=3D"ROT13"/> <br /> Insert your password: <input type=3D"PASSWORD" name=3D"password" crypt=3D"MD5"/> <input type=3D"SUBMIT" name=3D"SUBMIT" value=3D"SUBMIT"/> </form> This attribute, crypt, could have values like "MD5" (for MD5 encryption), "ROT13", or "Base64". The values of the <INPUT> tag should be encrypted by the HTTP client, and send to the HTTP server. Also, there should be a method to take a checksum from a file uploaded to the HTTP server. We suggest to create a method which allows the HTTP client to send the file AND the checksum in one <INPUT> tag, otherwise, people who are using the HTTP client have to insert the filename twice, to upload the file, and to send the checksum. The idea of sending checksums is great for the HTTP server to determine if the uploaded file is send well. We hope this idea will be included in the W3C standards of HTML and XHTML. Regards, D. Willems "Xatr0z" <xatr0z at users.sourceforge.net> and M. Verbeek "K!LLER" <system_error at pandora.be>
Received on Friday, 15 November 2002 17:11:43 UTC