Re: Idea for securityfix in HTML

> A normal HTML form which allows a user to login to a system, could look
> like this:

The real problem here is that people are not using the security features
in HTTP.  In band logins in HTML are intrinsically insecure even if you
use challenge response techniques as they generally rely on cookies, 
referer or hidden form fields to protect the internal pages and these 
all simply return unmodified data to the server.  They are done essentially
for vanity reasons.

(I agree with the other points that this proposal is plain text equivalent.
HTTP basic authentication is also plain text equivalent.  I don't know enough
about the MD5 authentication scheme in HTTP - getting good varying challenges
is going to be a problem.  HTTPS is the only really secure way of handling

Received on Saturday, 16 November 2002 04:50:26 UTC