[whatwg] meta="encrypt" tag is needed
and-py at doxdesk.com
Mon May 10 04:08:21 PDT 2010
On 05/07/2010 07:06 PM, Juuso Hukkanen wrote:
> the auth="verisign" argument, which _is_ enough to prevent all practical
> (,even if they are all theoretical!,) man-in-the-middle attacks.
No it doesn't. The initial page load stage is by necessity unencrypted,
and so an active MitM attack could simply remove the tag, or add a JS
keylogged script to the page, or whatever other method an attacker might
choose. Unless the user is expected to view source and check every last
byte of the page and scripts used in it (which will never happen), they
have no way to know their communications are secure.
In any case, if you add CAs, your proposal becomes just as 'heavy' as
HTTPS. What advantage does your proposal have over HTTPS, then? Because
it appears to have many disadvantages.
As for password 'salting', client-side challenge-response authentication
is already addressed much more securely by Digest Authentication,
Kerberos, or JS approaches. And if you have HTTPS, it's not really so
bad to send a plain password to the server, which will hopefully
hash/salt it itself. You have to send a plain password in order to set
it in the first place anyway.
> <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
Don't do that. That's a basic, beginner-author XSS vulnerability.
mailto:and at doxdesk.com
More information about the whatwg