W3C home > Mailing lists > Public > www-validator@w3.org > December 2001

Re: Validation broken for protected pages

From: Martin Duerst <duerst@w3.org>
Date: Thu, 27 Dec 2001 15:52:08 +0900
Message-Id: <>
To: bud@uzix.com, Nick Kew <nick@webthing.com>
Cc: <www-validator@w3.org>
Hello Bud,

At 07:30 01/12/17 -0800, Bud Hovell wrote:
>Hi, Nick ...
> > > > http://lists.w3.org/Archives/Public/www-
> > validator/2001JulSep/0476.html


>NK= > If I use the Validator to validate a document on a server (A) which
>NK= > requires authentication, Validator asks for the credentials. If I
>then try
>NK= > and validate another document on another server (B), my browser
>sends the
>NK= > same credentials
>NK= Yes indeed.
>NK= However, server B can only use the credentials if it can identify
>NK= server A, which could be anywhere on the 'net.  So it's not really
>NK= adding anything further to the insecurity of HTTP Basic Authentication
>NK= (and no, this is not 'security through obscurity').
>That's the crux of the matter: this was never a "security problem" to
>begin with. The mouse has stampeded the elephant.

I beg to disagree. It may not be that much of a security problem
in actual practice, but it's definitely very much a privacy
problem. Sending off logins and passwords for one site to
another arbitrary site isn't something I would ever expect
any Web service to do, period. If a big company would get
cought doing this (accidentially or not), there might be a
big outcry.

And I don't think 'telling the user about it'
would help; please think about whether you would use the
validator if it said "Please note that if you validate
pages on different sites (more exactly: in different
realms), your browser will send the same user name and
password that you entered for the first site to all
subsequent sites."

And please note that 'server B can only use the credentials
if it can identify server A' may in many cases not be that
difficult, because it's the same user, and it may therefore
not be difficult to guess what other sites the user may
be accessing.

>Regrettably, this would not satisfy our local conditions, either. We make
>available anonymous logins where the username/password are random strings
>unknown to the users logging in (who thus need not reveal any personal
>identifying information.) Once inside, such a user lacks the necessary
>password information to fulfill an authentication request.

How do the users get into the site without ever knowing
a password? Is that some little-known feature of HTTP
authentication, some script hack, or something else?

>And the extra
>hand-motion required entirely defeats the immediacy of one-click

I think you could easily get back there by redirecting the
user to the W3C validator. If you know how to get passwords
into the browser, you just have to calculate the realm that
the validator is going to use, or don't you?

Regards,   Martin.
Received on Thursday, 27 December 2001 02:15:16 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:58:25 UTC