Re: Idea for securityfix in HTML

> All this information is send without any encryption. We suggest to add
> the following attribute to the <INPUT> tag. Like this:

The problem, of course, is that if a form is loaded over http:// you may
know the data is being encrypted and sent somewhere but not _who_ it's
being sent to.  Authentication of both parties is a much more serious
problem than simple encryption of data (and note that you're trying to
prevent the theft of the client's identity--the password--but are doing
nothing to prevent the theft of the _server_'s identity).

Without addressing the authenticity of both sides of the transaction,
the best such a proposal can accomplish is a false sense of security.

Boris
-- 
Ninety-Ninety Rule of Project Schedules:

The first ninety percent of the task takes ninety
percent of the time, and the last ten percent takes the
other ninety percent.

Received on Friday, 15 November 2002 18:12:15 UTC