W3C home > Mailing lists > Public > www-validator@w3.org > December 2001

Re: Validation broken for protected pages

From: Bud Hovell <bud@uzix.com>
Date: Thu, 27 Dec 2001 11:49:40 -0800
Message-Id: <200112271954.fBRJsd907309@glisan.hevanet.com>
To: Martin Duerst <duerst@w3.org>
CC: <www-validator@w3.org>, <nick@webthing.com>
Hi, Martin ...

> >That's the crux of the matter: this was never a "security problem"
> to
> >begin with. The mouse has stampeded the elephant.
> I beg to disagree. It may not be that much of a security problem
> in actual practice, but it's definitely very much a privacy

Then it shouldn't be presented as a "security" problem, which it 
apparently is not, as a practical matter. Since the same information is 
involved, the "privacy" problem cannot be of any greater magnitude. QED

If it's really some kind of "privacy" concern, then it's odd this argument 
was never presented at any time prior. (Not that there was any real 
discussion about the proposed "solution" and its consequences before it 
was silently imposed -- as in the case of new charset restrictions not 
defined by the 4.0x standard.)

> problem. Sending off logins and passwords for one site to
> another arbitrary site isn't something I would ever expect
> any Web service to do, period. If a big company would get
> cought doing this (accidentally or not), there might be a
> big outcry.

Unexpected behaviors -- or unexpected changes of behavior -- often cause a 
big outcry. The response to such an outcry is the measure of the 
organization to whom they are directed.

> And I don't think 'telling the user about it'
> would help; please think about whether you would use the
> validator if it said "Please note that if you validate
> pages on different sites (more exactly: in different
> realms), your browser will send the same user name and
> password that you entered for the first site to all
> subsequent sites."

If this were the behavior selected by the administrator, I see nothing 
wrong with this approach under some (optional, non-default) conditions.

I'm also unsure how the proposed solution of passing along the Realm name, 
in addition to the login id and password, enhances either security or 
privacy except to the extent it makes more unlikely the already unlikely 
"lucky strike" on a page at a second server where the username and 
password happened to be exactly the same. (The chances the same user 
didn't also have access permission on this second server are near-zero, of 
course, unless password discipline on both servers is so minimal as to 
render security entirely meaningless, anyhow.)

> We make
> >available anonymous logins where the username/password are random
> strings
> >unknown to the users logging in (who thus need not reveal any
> personal
> >identifying information.) Once inside, such a user lacks the
> necessary
> >password information to fulfill an authentication request.
> How do the users get into the site without ever knowing
> a password? Is that some little-known feature of HTTP
> authentication, some script hack, or something else?

Scripting. And they don't need a password to get into the site -- only to 
log into an individual account on that site.
> >And the extra
> >hand-motion required entirely defeats the immediacy of one-click
> >validation.
> I think you could easily get back there by redirecting the
> user to the W3C validator. If you know how to get passwords
> into the browser, you just have to calculate the realm that
> the validator is going to use, or don't you?

The problem, of course, is that the Validator has already munged the Realm 
name -- which is why the server presents the authentication box -- so 
there is no possibility of validating it by hand-entering the correct 
login id and password. Checkmate.

Our reaction has been to simply remove validation from protected pages and 
move on. We see little benefit from further after-the-fact debate about a 
vague concern which appears to be a moving target of infinitely small 
magnitude on the distant horizon. The Validator service will continue to 
be offered at our sites for all other (which is to say most) pages until 
we have more time to address the matter permanently.

We do appreciate that much skill and effort that has gone into providing 
the Validator service (which we use constantly for development), and wish 
happy holidays to all those who have helped bring it to reality.

Bud Hovell
Received on Thursday, 27 December 2001 14:54:50 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:58:25 UTC