[whatwg] fixing the authentication problem
Aaron Swartz
me at aaronsw.com
Tue Oct 21 06:16:25 PDT 2008
The most common way of authenticating to web applications is:
Client: GET /login
Server: <html><form method="post">....
Client: POST /login
user=joesmith01&password=secret
Server: 200 OK
Set-Cookie: acct=joesmith01,2008-10-21,sj89d89asd89s8d
The obvious problem with this is that passwords are transferred in the
clear. Some major web services redirect the user to an SSL server for
the login transaction, but SSL is too expensive for the vast majority
of services. (We can hope ObsTCP will fix this, but that's a long way
away, if ever.)
Another alternative is HTTP Digest authentication, but I vaguely
remember Hixie saying it was insecure and, in any event, most Web
services will not adopt it because the browser UI isn't customizable.
My proposal: add something to HTML5 so that the transaction looks like this:
Client: GET /login
Server: <html><form method="post" pubkey="/pubkey.key">...
Client: POST /login
dXNlcj1qb2VzbWl0aDAxJnBhc3N3b3JkPXNlY3JldA==
Server: 200 OK
Set-Cookie: acct=joesmith01,2008-10-21,sj89d89asd89s8d
where the base64 string is the form data encrypted with the key
downloaded from /pubkey.key. This should be fairly easy to implement
(for clients and servers), falls back to exactly the current behavior
on browsers that don't support it, and solves a rather important
problem on the Web.
More information about the whatwg
mailing list