[whatwg] Solving the login/logout problem in HTML
Ian Hickson
ian at hixie.ch
Tue Nov 25 17:21:46 PST 2008
On Wed, 26 Nov 2008, Kornel Lesinski wrote:
> On Tue, 25 Nov 2008 05:26:47 -0000, Ian Hickson <ian at hixie.ch> wrote:
> > >
> > > http://www.w3.org/TR/1999/NOTE-authentform-19990203
> [...]
> > I don't really understand what problem the above solves that isn't solved
> > better by SSL.
>
> I agree that if real security is desired, SSL is the only way to go.
> However given that most login forms on the web send passwords in the
> clear, other problems were more important than security.
>
> Form + Digest avoids these SSL problems:
>
> * Does not negatively impact performance. In TLS handshake lots of messages
> are going back and forth, so this can't be fixed by beefing up servers' CPUs.
This is also the case with form authentication.
> * Does not need access to server's configuration, and generation, installation
> and renewal of certificates. Redistributable software can support it out of
> the box, on almost any server, without manual installation steps.
Form authentication is even easier to support than Digest auth.
> Additionally, it's better than new "WWW-Authenticate: HTML"
> authentication mechanism:
>
> * It's compatible with existing non-HTML HTTP clients.
Agreed.
> * Although its security is weak compared to SSL, it's a step up from forms +
> cookies.
Not really. If you can sniff the password from forms + cookies, then you
can almost always also MitM a Digest connection, after which point you
have basically lost.
> * It's easier to sell: "It will allow bots to log in" doesn't sound very
> desirable. "It will protect your users' passwords against passive
> eavesdropping" sounds better.
Unfortunately, both of those advantages pale in comparison to "you can
style your login form", which is the real advantage of "WWW-Authenticate:
HTML" and (in particular) HTML form authentication.
> I don't think "WWW-Authenticate: HTML" is a significant improvement. It
> doesn't offer anything to existing websites/browsers. It's primarily
> targetted for non-browser UAs, but it's not compatible with them. If UAs
> are required to parse HTML, they could as well look for form with a
> single password field.
I agree that it's not that great. But it is slightly better than nothing,
and the cost to support this is pretty minimal.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list