[whatwg] meta="encrypt" tag is needed

Juuso Hukkanen juuso_html5 at tele3d.net
Fri May 7 10:06:26 PDT 2010 

I was expecting criticism; as is unavoidable with all crypto issues.

You asked many questions, and unfortunately all you missed the  
auth="verisign" argument, which _is_ enough to prevent all practical  
(,even if they are all theoretical!,) man-in-the-middle attacks.

<html>
<head>
   <meta encrypt pubkey="ABABAEFEF2626EFEFEF" pubtool="EC256-AES"  
passsalt="colordev.com" auth="verisign"/>
</head>
<body>
   <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
   Username: <input type="text" name="user" /><br />
   Password: <input type="password" name="password" />
	<input type="submit" value="Submit" /><br />
   </form>
</body>
</html>

the above 'page' using the meta-encrypt tag, which is enough for a  
client browser to submit to site
a) a salted password
b) and a user name transported in encrypted form; over the internet

Maybe someone can show a _complete_ alternative Javascript & https  
solution about how those can be achieved in a computer or PDA-device  
without javascript support.

I am not suggesting replacing https with anything, government and  
business sites can and should keep on using it.  I am suggesting a  
small easy to use mini-encryption which would be enough for those 90%  
of sites should salt their passwords and encrypt sensitive data and  
but who currently aren't.

question 1:
> The server has to read and correctly parse each HTML page to decide
> whether to encrypt it? (And how does the browser know that the page is
> encrypted, vs. a legacy server that doesn't encrypt?)

answer 1:
Most servers are already configured to read the requested pages before  
submitting those over the internet. For example my above form-page has  
a small php-script inside which the server program must notice; as the  
PHP-program needs to compile the script. Client never sees the <?php  
echo $_SERVER['PHP_SELF']; ?> part but is instead shown an URL. To  
implement meta-encrypt tag would just require (on/off) configuring  
server program to read the header of requested page and see if there  
is a meta-encrypt tag in there the server calls a program which  
decrypts! the client submitted data.

Obviously you people will keep complaining, so what do you want to  
complain next
1) Man-in-the-middle problem; which doesn't exists because
	a) those are just academic mind games
	b) if auth="verisign" is used as external CA
2) HTTPS = good (even if it is typically NOT used with forms
3) password salting = webmasters duty to do it (which 50% forget),  
after using the HTTPS (which 90% forget)
4) Declaring encrypt action doesn't fit into HTML (; then why is there  
a form method get/post)


Juuso Hukkanen
www.colordev.com

More information about the whatwg mailing list