- From: Martin Duerst <duerst@w3.org>
- Date: Thu, 27 Dec 2001 15:52:08 +0900
- To: bud@uzix.com, Nick Kew <nick@webthing.com>
- Cc: <www-validator@w3.org>
Hello Bud, At 07:30 01/12/17 -0800, Bud Hovell wrote: >Hi, Nick ... > > > > > http://lists.w3.org/Archives/Public/www- > > validator/2001JulSep/0476.html >NK= > THE PROBLEM: >NK= > If I use the Validator to validate a document on a server (A) which >NK= > requires authentication, Validator asks for the credentials. If I >then try >NK= > and validate another document on another server (B), my browser >sends the >NK= > same credentials >NK= >NK= Yes indeed. >NK= >NK= However, server B can only use the credentials if it can identify >NK= server A, which could be anywhere on the 'net. So it's not really >NK= adding anything further to the insecurity of HTTP Basic Authentication >NK= (and no, this is not 'security through obscurity'). > >That's the crux of the matter: this was never a "security problem" to >begin with. The mouse has stampeded the elephant. I beg to disagree. It may not be that much of a security problem in actual practice, but it's definitely very much a privacy problem. Sending off logins and passwords for one site to another arbitrary site isn't something I would ever expect any Web service to do, period. If a big company would get cought doing this (accidentially or not), there might be a big outcry. And I don't think 'telling the user about it' would help; please think about whether you would use the validator if it said "Please note that if you validate pages on different sites (more exactly: in different realms), your browser will send the same user name and password that you entered for the first site to all subsequent sites." And please note that 'server B can only use the credentials if it can identify server A' may in many cases not be that difficult, because it's the same user, and it may therefore not be difficult to guess what other sites the user may be accessing. >Regrettably, this would not satisfy our local conditions, either. We make >available anonymous logins where the username/password are random strings >unknown to the users logging in (who thus need not reveal any personal >identifying information.) Once inside, such a user lacks the necessary >password information to fulfill an authentication request. How do the users get into the site without ever knowing a password? Is that some little-known feature of HTTP authentication, some script hack, or something else? >And the extra >hand-motion required entirely defeats the immediacy of one-click >validation. I think you could easily get back there by redirecting the user to the W3C validator. If you know how to get passwords into the browser, you just have to calculate the realm that the validator is going to use, or don't you? Regards, Martin.
Received on Thursday, 27 December 2001 02:15:16 UTC