[whatwg] Solving the login/logout problem in HTML
Kornel Lesinski
kornel at geekhood.net
Tue Nov 25 16:38:22 PST 2008
On Tue, 25 Nov 2008 05:26:47 -0000, Ian Hickson <ian at hixie.ch> wrote:
>> http://www.w3.org/TR/1999/NOTE-authentform-19990203
[...]
> I don't really understand what problem the above solves that isn't solved
> better by SSL.
I agree that if real security is desired, SSL is the only way to go.
However given that most login forms on the web send passwords in the
clear, other problems were more important than security.
Form + Digest avoids these SSL problems:
* Does not negatively impact performance. In TLS handshake lots of
messages are going back and forth, so this can't be fixed by beefing up
servers' CPUs.
* Does not need access to server's configuration, and generation,
installation and renewal of certificates. Redistributable software can
support it out of the box, on almost any server, without manual
installation steps.
Additionally, it's better than new "WWW-Authenticate: HTML" authentication
mechanism:
* It's compatible with existing non-HTML HTTP clients.
* Although its security is weak compared to SSL, it's a step up from forms
+ cookies.
* It's easier to sell: "It will allow bots to log in" doesn't sound very
desirable. "It will protect your users' passwords against passive
eavesdropping" sounds better.
I don't think "WWW-Authenticate: HTML" is a significant improvement. It
doesn't offer anything to existing websites/browsers. It's primarily
targetted for non-browser UAs, but it's not compatible with them.
If UAs are required to parse HTML, they could as well look for form with a
single password field.
--
regards, Kornel Lesinski
More information about the whatwg
mailing list