RE: Passwords in the Clear from Alastair.Green@barclayscapital.com on 2006-12-14 (www-tag@w3.org from December 2006)

From: <Alastair.Green@barclayscapital.com>
Date: Thu, 14 Dec 2006 12:09:36 -0000
To: <cowan@ccil.org>
Cc: <www-tag@w3.org>, <alastair.green@choreology.com>
Message-ID: <B60EE4C03F4E504FBF53C17A152CE02207FE3C61@LDNPCMEU301VEUA.INTRANET.BARCAPINT.COM>

I think that the prevalence of server-side authenticated HTTPS sites for
B2C commerce is so great as to indicate that users can handle it. I
don't know what proportion of the internet's users in countries with
high banking penetration have bought a good, booked a flight, or managed
an account using such technology in the past year, but it must exceed
the number of geeks in the world by a fair few orders of magnitude.

Certificates don't give you high protection from fraudulent endpoints, I
agree, but they give some, and they do give you protection from
observation of data in motion. 

Digest Auth does not require any infrastructure other than implementing
endpoints. Last I checked this would apply for mass-market browsers and
web servers. NTLM is also easily available. Both are non-intrusive from
a user perspective.

Given this, it would be useful to see a more precise description of
additional circumstances (beyond the "stop the bot" in the document)
where P in the C is in fact applicable. 

Alastair


-----Original Message-----
From: John Cowan [mailto:cowan@ccil.org] 
Sent: 13 December 2006 14:17
To: Green, Alastair: IT (LDN)
Cc: www-tag@w3.org; alastair.green@choreology.com
Subject: Re: Passwords in the Clear


Alastair.Green@barclayscapital.com scripsit:

> Contrariwise,  a ukase against passwords in the clear seems 
> appropriate because a) it's a gross and inarguable security violation,

> and b) everyone has the equipment to implement the solution, even when

> using free software. Cost = 0, benefit > 0 => no-brainer.

I continue to disagree.  Sometimes passwords in the clear provide just
enough security to be useful without being intrusive, in which case the
benefit of stronger security = 0.  And the cost of HTTPS is still
greater than zero: server operators must either pay for certificates or
use self-certification and deal with nervous customers who worry about
unknown-certifier popups in their browsers, though typical certificates
are about as reliable as self-certificates, that is to say, not at all.

-- 
Even the best of friends cannot                 John Cowan
attend each others' funeral.                    cowan@ccil.org
        --Kehlog Albran, The Profit
http://www.ccil.org/~cowan
------------------------------------------------------------------------
For more information about Barclays Capital, please visit our web site at http://www.barcap.com.

Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message.  Although the Barclays Group operates anti-virus programmes, it does not accept responsibility for any damage whatsoever that is caused by viruses being passed.  Any views or opinions presented are solely those of the author and do not necessarily represent those of the Barclays Group.  Replies to this email may be monitored by the Barclays Group for operational or business reasons.
------------------------------------------------------------------------

Received on Thursday, 14 December 2006 12:09:49 UTC