Asking too much of User Agents: Passwords in the clear again

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As the draft minutes [1] suggest, another tricky case wrt the proposed
finding on Passwords in the Clear [2] has emerged: Just because a form
with an <input type='password'>... is delivered via http and not https
does not necessarily mean the password will be shipped over the wire
in the clear -- it's been asserted that it's possible for javascript
on the page, invoked by an 'onsubmit' hook, to use some form of
(possibly public-key?) encryption so that what is actually submitted
is safe from snooping.  Clearly the User Agent can't tell that this is
being done, and so would be expected to issue a warning to the user as
the finding currently stands, which would be misleading at best.

Security experts:  1) Is such Javascript actually possible?  If so,
                      does it provide an acceptable level of security?
                   2) Is it being done today (on the call it was
                      suggested that Yahoo does this)?

ht

[1] http://www.w3.org/2007/01/09-tagmem-minutes.html
[2] http://www.w3.org/2001/tag/doc/passwords-InTheClear-52
- -- 
 Henry S. Thompson, HCRC Language Technology Group, University of Edinburgh
                     Half-time member of W3C Team
    2 Buccleuch Place, Edinburgh EH8 9LW, SCOTLAND -- (44) 131 650-4440
            Fax: (44) 131 650-4587, e-mail: ht@inf.ed.ac.uk
                   URL: http://www.ltg.ed.ac.uk/~ht/
[mail really from me _always_ has this .sig -- mail without it is forged spam]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFFpA+WkjnJixAXWBoRArc8AJ9erZRLrrx+k5R27JlYjcEjXwliVgCdF2s5
ApZ4AGdny/kb3HxSyRO9H68=
=Ez2J
-----END PGP SIGNATURE-----

Received on Tuesday, 9 January 2007 21:56:48 UTC