[whatwg] webforms2: new hash attribute for input ?

Julien TOUCHE julien.touche at lycos.com
Wed Aug 15 08:08:51 PDT 2007


I want to sugges some new attributes related to security of the form for
Web Forms 2, XForms and HTML 5.

<input type="password" hash="sha256" name="mypass" />
        so the browser transmits only the corresponding hash of the
given value.

Also, as we need to avoid to transform hash as a simple password, server
need to propose one-time salt for the client like this
<input type="password" hash="sha256" salt="123456" name="mypass" />
in order to avoid crackers to submit directly the hash to servers.

It could be seen as the same alternative as apache mod_auth and
mod_auth_digest. It does not remove the need for https, but improve
security on one layer.
Why ? Avoid form grabbing on browser from current malware which can
intercept GET and POST request even on https. (you could do the same
with firefox and "Live HTTP Headers" extension)
Today, the only alternative is to use javascript or java to hash
password, which is hardly done by banks and never outside.
Including in w3 standard, would give it a better exposure.

As standard advice, following hash needs to be included in spec:
sha256/512 and legacy md5/sha1 (market will add others if needed)



Note: problem of passwd + salt => it needs to have a cleartext password
in server database as the hash will depend on the salt. Else we can use
some ugly hack like client hashing password without salt to gain server
hash, adding one time salt, and hashing again to gain a
one-time-password which could be compared on the server and not used by
a cracker ... to be discussed to have a reliable implementation.

More information about the whatwg mailing list