- From: Henry S. Thompson <ht@inf.ed.ac.uk>
- Date: Tue, 09 Jan 2007 21:56:38 +0000
- To: www-tag@w3.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As the draft minutes [1] suggest, another tricky case wrt the proposed finding on Passwords in the Clear [2] has emerged: Just because a form with an <input type='password'>... is delivered via http and not https does not necessarily mean the password will be shipped over the wire in the clear -- it's been asserted that it's possible for javascript on the page, invoked by an 'onsubmit' hook, to use some form of (possibly public-key?) encryption so that what is actually submitted is safe from snooping. Clearly the User Agent can't tell that this is being done, and so would be expected to issue a warning to the user as the finding currently stands, which would be misleading at best. Security experts: 1) Is such Javascript actually possible? If so, does it provide an acceptable level of security? 2) Is it being done today (on the call it was suggested that Yahoo does this)? ht [1] http://www.w3.org/2007/01/09-tagmem-minutes.html [2] http://www.w3.org/2001/tag/doc/passwords-InTheClear-52 - -- Henry S. Thompson, HCRC Language Technology Group, University of Edinburgh Half-time member of W3C Team 2 Buccleuch Place, Edinburgh EH8 9LW, SCOTLAND -- (44) 131 650-4440 Fax: (44) 131 650-4587, e-mail: ht@inf.ed.ac.uk URL: http://www.ltg.ed.ac.uk/~ht/ [mail really from me _always_ has this .sig -- mail without it is forged spam] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFFpA+WkjnJixAXWBoRArc8AJ9erZRLrrx+k5R27JlYjcEjXwliVgCdF2s5 ApZ4AGdny/kb3HxSyRO9H68= =Ez2J -----END PGP SIGNATURE-----
Received on Tuesday, 9 January 2007 21:56:48 UTC