Re: Idea for securityfix in HTML from Xatr0z on 2002-11-16 (www-html-editor@w3.org from October to December 2002)

From: Xatr0z <xatr0z@home.nl>
Date: Sat, 16 Nov 2002 11:07:43 +0100
To: <www-forms@w3.org>, <www-html@w3.org>, <www-html-editor@w3.org>
Message-ID: <005c01c28d58$019cffe0$44b479d9@emmen1.dr.home.nl>

----- Original Message -----
From: Toby Inkster <tobyink@goddamn.co.uk>
To: Xatr0z <xatr0z@users.sourceforge.net>; <www-html-request@w3.org>
Sent: Friday, November 15, 2002 11:32 PM
Subject: Re: Idea for securityfix in HTML


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Fri, 15 Nov 2002 23:04:18 +0100
> "Xatr0z" <xatr0z@home.nl> wrote:
>
> | We hope this idea will be included in the W3C standards of HTML and
> | XHTML.

[snip]

> This is a terrible idea for the following reasons:
>
> a) Rot13 and Base64 provide no security at all. Assuming rot13'd data is
intercepted, it can be easily decoded by a 10 year old with a pen and paper.

It was an example, we were just numbering some encryptions.

> b) MD5 isn't even encryption -- it's a hash -- not reversible. Thus the
server couldn't decode the information at the other end anyway!

Yes, but a lot of systems use MD5 hashes in databases, for passwords by
example.

> c) Why bother when we already have HTTPS? HTTPS provides security
infinitely better than all the methods you have suggested.

I think HTTP should be save.

> d) HTML is dead, there are no plans to recommend any further versions.

I personaly think this is a bad idea, HTML is still used a lot on the WWW.


Regards,

D. Willems "Xatr0z" <xatr0z at users.sourceforge.net>

Received on Saturday, 16 November 2002 05:09:37 UTC