Asking too much of User Agents: Passwords in the clear again

Hash: SHA1

As the draft minutes [1] suggest, another tricky case wrt the proposed
finding on Passwords in the Clear [2] has emerged: Just because a form
with an <input type='password'>... is delivered via http and not https
does not necessarily mean the password will be shipped over the wire
in the clear -- it's been asserted that it's possible for javascript
on the page, invoked by an 'onsubmit' hook, to use some form of
(possibly public-key?) encryption so that what is actually submitted
is safe from snooping.  Clearly the User Agent can't tell that this is
being done, and so would be expected to issue a warning to the user as
the finding currently stands, which would be misleading at best.

Security experts:  1) Is such Javascript actually possible?  If so,
                      does it provide an acceptable level of security?
                   2) Is it being done today (on the call it was
                      suggested that Yahoo does this)?


- -- 
 Henry S. Thompson, HCRC Language Technology Group, University of Edinburgh
                     Half-time member of W3C Team
    2 Buccleuch Place, Edinburgh EH8 9LW, SCOTLAND -- (44) 131 650-4440
            Fax: (44) 131 650-4587, e-mail:
[mail really from me _always_ has this .sig -- mail without it is forged spam]
Version: GnuPG v1.2.6 (GNU/Linux)


Received on Tuesday, 9 January 2007 21:56:48 UTC