On 080110 at 20:00, Alexander Mueller wrote: > > Adding mechanisms always adds complexity, not only in terms of code but > > also in terms of things the admin should consider to setup a secure > > system. So the added complexity should be worth something. > Correct, however I'd say the added complexity in this case (which isnt > that much) would be worth the gained security.
Maybe. But 'mediocre' security mechanisms are difficult to handle. In reality, security mechanisms are often abused in every possible way. People don't understand how they work and where the limits are. That's why they should be very robust. How do you communicate that this type of login is relativly secure for dial-in internet users but very insecure when used in internet cafes? > > SRP can also be used as a http-auth mechanism, but then it provides > > only limited security, as it could be used with limited SSL security or > > no SSL at all. > Yes, but here we are not even talking about HTTP authentication, but > about form based logins, usually not even via SSL. Many sites that don't care about security use SSL with a selfsigned cert just so that passwords are not send in the clear. With the current certificate handling in browsers, this is a problematic solution, but IMO better than none. And better than protecting only the login. > > Same for your scheme: It protects the password, but as > > an attacker I don't even need that if I can break the SSL protection or > > if SSL is not even used. > Can you explain why? Because there is usually some reason to demand a login in the first place: The transaction that follows the login. Without SSL or with weak SSL, people feel good about their 'secure login' while the actual transaction data can be easily manipulated. Did I mention I'm also new to the list and, although knowing a thing or two about security engineering, have nothing to say here? :-) Interessting discussion though. Maybe just write an RFE in bugzilla and see what comes out of it.. /steffen _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
