- From: (unknown charset) Nick Kew <nick@webthing.com>
- Date: Mon, 3 Sep 2001 14:57:22 +0100 (BST)
- To: (unknown charset) Samuel Rinnetmäki <samuel.rinnetmaki@tothepoint.fi>
- cc: (unknown charset) www-validator@w3.org
On Mon, 3 Sep 2001, Samuel[ISO-8859-1] Rinnetmäki wrote: > > W3C HTML Validation Service has a security issue regarding to HTTP Basic > Authentication. > > I searched the archives of this mailing list for "+www-validator > +authentication" and found some disussion about HTTP Basic Authentication > not being secure, but I think the HTML Validation Service implements HTTP > Basic Authentication in a way that is even more insecure than the HTTP > Basic Authentication usually. > > THE PROBLEM: It's not quite that bad. > If I use the Validator to validate a document on a server (A) which > requires authentication, Validator asks for the credentials. If I then try > and validate another document on another server (B), my browser sends the > same credentials Yes indeed. However, server B can only use the credentials if it can identify server A, which could be anywhere on the 'net. So it's not really adding anything further to the insecurity of HTTP Basic Authentication (and no, this is not 'security through obscurity'). > THE CURE: > > What the "check" script should do is to keep track of the Realms which > require authorization, That is not a cure. There's nothing unique about a realm. I would suggest that a better option is to allow the user to enter the credentials in an HTML form, rather than use an authentication dialogue. This is the approach taken by cg-eye (see my .sig). -- Nick Kew Site Valet - the essential service for anyone with a website. <URL:http://valet.webthing.com/>
Received on Monday, 3 September 2001 09:57:49 UTC