On Tuesday, April 21, 2015 at 3:56:31 PM UTC+2, Mike Hoye wrote: > On 2015-04-21 6:43 AM, Roger Hågensen wrote: > > I know, not that well explained and over simplified. But the concept > > is hopefully clear, but in case it's not... > For what it's worth, a lot of really smart people have been thinking > about this problem for a while and there aren't a lot of easy buckets > left on this court. Even if we had the option of starting with a clean > slate it's not clear how much better we could do, and scrubbing the > internet's security posture down to the metal and starting over isn't > really an option. We have to work to improve the internet as we find it, > imperfections and tradeoffs and all.
How about HTTP/2 ? Also a lot of smart minds completely ignored HTTP Digest Authentication for years, allowing Basic (plain text) password to be sent when login in on sites. I hate plain text logins, how many blogs and forums out there have plain text logins right now? The number is scary I'm sure. MITM attacks are one thing, what is worse are network eavesdropping, login to your blog or forum from a Cafe and you are screwed basically. IT has been shown that despite using WPA2 to the router, others on the same router can catch packets and decrypt them. And then they have your login/password. Now when I make logins for web projects I use a Javascript client side based HMAC and a challenge-response so I do not even send the HMAC/hash over the network. The server gives the javascript/client a challenge and a nonce, the password which the user knows and server knows (actually the server only knows a hmac of the pass and salt) is used with the challenge and then the result is sent back as a answer. An eaves dropper will not be able to get the password. Now, there are other attacks that could be used like session exploits but this is true even for HTTPS connections. And a javascript/client solution like this is open to a MITTM attack since it's not encrypted or signed in any way (code signing certificates are even more expensive than site certificates). I'd like to see a Client based HMAC Challenge-Responsive built in and a way for a browser and a serverside script to establish a encrypted connection without he need for certificates. This would solve the plaintext login headache, and would be attractive to sites that only have HTTP (no HTTPS option) but has for example PHP support or some other scripting language. HTTP/2 could be extended to improve the way HTTP Digest Authentication works, adding a HMAC(PSWD+SALT) + Challenge(NONCE) = Response(HASH) method. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
