[whatwg] fixing the authentication problem

Aaron Swartz me at aaronsw.com
Tue Oct 21 06:16:25 PDT 2008

The most common way of authenticating to web applications is:

Client: GET /login
Server: <html><form method="post">....
Client: POST /login
Server: 200 OK
Set-Cookie: acct=joesmith01,2008-10-21,sj89d89asd89s8d

The obvious problem with this is that passwords are transferred in the
clear. Some major web services redirect the user to an SSL server for
the login transaction, but SSL is too expensive for the vast majority
of services. (We can hope ObsTCP will fix this, but that's a long way
away, if ever.)

Another alternative is HTTP Digest authentication, but I vaguely
remember Hixie saying it was insecure and, in any event, most Web
services will not adopt it because the browser UI isn't customizable.

My proposal: add something to HTML5 so that the transaction looks like this:

Client: GET /login
Server: <html><form method="post" pubkey="/pubkey.key">...
Client: POST /login
Server: 200 OK
Set-Cookie: acct=joesmith01,2008-10-21,sj89d89asd89s8d

where the base64 string is the form data encrypted with the key
downloaded from /pubkey.key. This should be fairly easy to implement
(for clients and servers), falls back to exactly the current behavior
on browsers that don't support it, and solves a rather important
problem on the Web.

More information about the whatwg mailing list