W3C home > Mailing lists > Public > www-validator@w3.org > September 2001

(unknown charset) Re: www-validator Security Issue (Basic Auth)

From: (unknown charset) Nick Kew <nick@webthing.com>
Date: Mon, 3 Sep 2001 14:57:22 +0100 (BST)
To: (unknown charset) Samuel Rinnetmäki <samuel.rinnetmaki@tothepoint.fi>
cc: (unknown charset) www-validator@w3.org
Message-ID: <Pine.BSF.4.21.0109031445530.318-100000@fenris.webthing.com>

On Mon, 3 Sep 2001, Samuel[ISO-8859-1]  Rinnetmäki wrote:

> W3C HTML Validation Service has a security issue regarding to HTTP Basic
> Authentication.
> I searched the archives of this mailing list for "+www-validator
> +authentication" and found some disussion about HTTP Basic Authentication
> not being secure, but I think the HTML Validation Service implements HTTP
> Basic Authentication in a way that is even more insecure than the HTTP
> Basic Authentication usually. 

It's not quite that bad.

> If I use the Validator to validate a document on a server (A) which
> requires authentication, Validator asks for the credentials. If I then try
> and validate another document on another server (B), my browser sends the
> same credentials

Yes indeed.

However, server B can only use the credentials if it can identify
server A, which could be anywhere on the 'net.  So it's not really
adding anything further to the insecurity of HTTP Basic Authentication
(and no, this is not 'security through obscurity').

> What the "check" script should do is to keep track of the Realms which
> require authorization,

That is not a cure.  There's nothing unique about a realm.

I would suggest that a better option is to allow the user to enter the
credentials in an HTML form, rather than use an authentication dialogue.
This is the approach taken by cg-eye (see my .sig).

Nick Kew

Site Valet - the essential service for anyone with a website.
Received on Monday, 3 September 2001 09:57:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:58:23 UTC