[whatwg] Solving the login/logout problem in HTML

Kornel Lesinski kornel at geekhood.net
Tue Nov 25 16:38:22 PST 2008


On Tue, 25 Nov 2008 05:26:47 -0000, Ian Hickson <ian at hixie.ch> wrote:

>> http://www.w3.org/TR/1999/NOTE-authentform-19990203
[...]
> I don't really understand what problem the above solves that isn't solved
> better by SSL.

I agree that if real security is desired, SSL is the only way to go.
However given that most login forms on the web send passwords in the
clear, other problems were more important than security.

Form + Digest avoids these SSL problems:

* Does not negatively impact performance. In TLS handshake lots of  
messages are going back and forth, so this can't be fixed by beefing up  
servers' CPUs.
* Does not need access to server's configuration, and generation,  
installation and renewal of certificates. Redistributable software can  
support it out of the box, on almost any server, without manual  
installation steps.

Additionally, it's better than new "WWW-Authenticate: HTML" authentication  
mechanism:

* It's compatible with existing non-HTML HTTP clients.
* Although its security is weak compared to SSL, it's a step up from forms  
+ cookies.
* It's easier to sell: "It will allow bots to log in" doesn't sound very  
desirable. "It will protect your users' passwords against passive  
eavesdropping" sounds better.

I don't think "WWW-Authenticate: HTML" is a significant improvement. It  
doesn't offer anything to existing websites/browsers. It's primarily  
targetted for non-browser UAs, but it's not compatible with them.
If UAs are required to parse HTML, they could as well look for form with a  
single password field.

-- 
regards, Kornel Lesinski



More information about the whatwg mailing list