- From: Xatr0z <xatr0z@home.nl>
- Date: Sat, 16 Nov 2002 12:28:39 +0100
- To: "Boris Zbarsky" <bzbarsky@MIT.EDU>
- Cc: <www-forms@w3.org>, <www-html@w3.org>, <www-html-editor@w3.org>
> > > Yes, you're right, but if we take an MD5 hash instead of the plain password, > > the data would be saver. > > Like I said, you get a misleading illusion of safety for both parties. > In reality, neither is more secure, and is hence more vulnerable (same > level of actual security, but more likely to do stupid things due to the > perception of security). I think this is going to end up in an discussion if it would be save or not, but I think it is. If someone is "sniffing" and get's the HTTP request instead of the HTTP server, he or she doesn't get the password, but it's encrypted (or with MD5, that depends on the HTTP request). Ofcourse, it isn't secure, he or she could trie an dictionary or brute-force attack, but is is more secure, and I think that's a good thing. What do you feel about the idea to create a attribute which allows the client to send an (MD5) checksum of the file, to determine if the transport went well? Another idea, maybe make something like a "checksum" value in the type attribute in the <INPUT> tag, which takes a checksum of all data? Regards, D. Willems "Xatr0z" <xatr0z at users dot sourceforge dot net>
Received on Saturday, 16 November 2002 06:30:39 UTC