[whatwg] meta="encrypt" tag is needed

And Clover and-py at doxdesk.com
Mon May 10 04:08:21 PDT 2010


On 05/07/2010 07:06 PM, Juuso Hukkanen wrote:

> the auth="verisign" argument, which _is_ enough to prevent all practical
> (,even if they are all theoretical!,) man-in-the-middle attacks.

No it doesn't. The initial page load stage is by necessity unencrypted, 
and so an active MitM attack could simply remove the tag, or add a JS 
keylogged script to the page, or whatever other method an attacker might 
choose. Unless the user is expected to view source and check every last 
byte of the page and scripts used in it (which will never happen), they 
have no way to know their communications are secure.

In any case, if you add CAs, your proposal becomes just as 'heavy' as 
HTTPS. What advantage does your proposal have over HTTPS, then? Because 
it appears to have many disadvantages.

As for password 'salting', client-side challenge-response authentication 
is already addressed much more securely by Digest Authentication, 
Kerberos, or JS approaches. And if you have HTTPS, it's not really so 
bad to send a plain password to the server, which will hopefully 
hash/salt it itself. You have to send a plain password in order to set 
it in the first place anyway.

> <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">

Don't do that. That's a basic, beginner-author XSS vulnerability.

-- 
And Clover
mailto:and at doxdesk.com
http://www.doxdesk.com/



More information about the whatwg mailing list