- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Fri, 15 Nov 2002 18:12:11 -0500
- To: "Xatr0z" <xatr0z@users.sourceforge.net>
- cc: www-forms@w3.org, www-html@w3.org, www-html-editor@w3.org
> All this information is send without any encryption. We suggest to add > the following attribute to the <INPUT> tag. Like this: The problem, of course, is that if a form is loaded over http:// you may know the data is being encrypted and sent somewhere but not _who_ it's being sent to. Authentication of both parties is a much more serious problem than simple encryption of data (and note that you're trying to prevent the theft of the client's identity--the password--but are doing nothing to prevent the theft of the _server_'s identity). Without addressing the authenticity of both sides of the transaction, the best such a proposal can accomplish is a false sense of security. Boris -- Ninety-Ninety Rule of Project Schedules: The first ninety percent of the task takes ninety percent of the time, and the last ten percent takes the other ninety percent.
Received on Friday, 15 November 2002 18:12:14 UTC