- From: Rice, Ed (ProCurve) <ed.rice@hp.com>
- Date: Wed, 27 Jun 2007 15:06:28 -0000
- To: "Williams, Stuart (HP Labs, Bristol)" <skw@hp.com>, "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>
- Cc: <www-tag@w3.org>
FYI.. Yahoo has moved away from the submit script and has moved to SSL. I know of no current examples of client side encryption via java script in use at a major site. -----Original Message----- From: Williams, Stuart (HP Labs, Bristol) Sent: Wednesday, June 27, 2007 5:38 AM To: Mary Ellen Zurko Cc: www-tag@w3.org; Rice, Ed (ProCurve) Subject: [passwordInTheClear-52]: A summary of where I think we are. Hello Mez, The TAG returned to discussion of passwordsInTheClear-52 at our telcon yesterday [1]. There seem to be 3 issues remaining on the table: 1) Some regard that there are reasonable use cases for weak protection of passwords - and demur against the Good Practice advice: "A client or browser SHOULD NOT transmit passwords in clear text." 2) Some editorial ambiguities in the current draft: for example, what is the intent of: "Good Practice: A server SHOULD NOT solicit any passwords in clear text" in particular the word 'solicit' and whether it is intended to refer to the way in which user (via a UA) is asked for a password, or the way in which the password is transfered between UA and server, or both - different TAG members read this differently. 3) and probably more significantly, is the issue of the use of 'onsubmit' hooks to do client side processing of a form field: Specifically client side encryption of a password field between submit button-hit and the UA submit action (often a POST). If one were to *want* to recommend (as many of the TAG do) that a UA should/must raise a warning to the user when it 'detects' that a password field is about to be transmitted in the clear, how is a UA to 'know' that effect of 'onsubmit' processing is to encrypt or generating a signature over the password (plus some challenge) thereby making the transfer far from 'in the clear'. Notwithstanding 1) above; if the aim is to alert the user that a password they are giving may be vulnerable to interception in transit (because it is visible in clear text), then we have failed to identify a reliable basis on which a UA can detect that situation. The tricky use case is where an 'onsubmit' hooks is used to secure the password. In exploring this, some TAG members suggest that it may be better for a UA to alert a user in the presense of indetermininate 'onsubmit' behaviours than to supress such warning. Others are concerned that this is a common use case at a number of sites (Yahoo! has been cited as one significant case); that users would be alerted 'erroreously' because the transfer is infact made secure by the action of the 'onsubmit' hook - the UA is just not able to tell; consequently the user will become irritated by a repeating alert and either come to ignore it (in general), or disable it (if they have the option to do so) - thus defeating the purpose of having an alert in the first place. In polling the TAG on: "Is this a viable finding: a) as it is? b) Without the teeth? c) If we added more caveats about lightweight passwords?" there seemed to be: a desire to find a reliable basis on which to advise that UA's detect weakly protected password transfers; a desire find wording that admitted some of the 'lightly' protected door secnarios (1 above - and thread starting at [1]) some sentiment that only a publication with some teeth would be worth publishing ie. some means to determine fault and recommended corrective action (my interpretation of 'teeth'). In your response to me [3], you suggest that 3) above (usage of onsumbit hooks) is somewhat hypotheical. I think that a several TAG members would need to be persuaded that the case is hypothetical. There is certainly a belief that Yahoo! either have in the past or indeed continue to use such mechanisms in some geographies - though at present, form where I am, they do seem to be authenticating with https interactions. FWIW: personnally I think that using the onsubmit mechanism to secure an otherwise 'in-clear' exchange (ie. via http rather than https) while 'cute' is probably bad practice because the practice denies the UA the ability to reliably warn the user that a password they are using may be vulnerable. If the major sites that we thought were using that practice have moved away from doing so (or never were doing it quite the way we thought they were) I think it would be worthwhile advising against practice. It would be good to try to schedule some time so that you can discuss this further with TAG members, however, your availability and the impending summer season (if the weather ever gets better here :-) ) make scheduling that a challenge. Maybe in the mean time we could continue some discussion with the TAG on this thread. Many thanks, Stuart -- [1] http://lists.w3.org/Archives/Public/www-tag/2006Nov/0085.html [2] http://lists.w3.org/Archives/Member/tag/2007Jun/0050.html -- Hewlett-Packard Limited registered Office: Cain Road, Bracknell, Berks RG12 1HN Registered No: 690597 England
Received on Wednesday, 27 June 2007 15:08:02 UTC