User: Password:
|
|
Subscribe / Log in / New account

If sensible authentication were used...

If sensible authentication were used...

Posted May 27, 2010 12:02 UTC (Thu) by epa (subscriber, #39769)
Parent article: Redirecting browser tabs via "tabnabbing"

So, once again, why do sites insist on logging in through username and password boxes in a form on the page itself? If instead they used the web browser's built-in support for http digest authentication, the browser can clearly show the web address that the password is going to, *and nothing else*, so no cute Gmail or bank logos or any other visual clues which users come to depend on but are easily spoofable.

(Indeed, it might be a good idea for the browser password dialogue to require you to type in the domain name of the site, if it's one you haven't authenticated to before.)

Using an ordinary HTML form for username-password authentication looks prettier, but I feel it makes spoofing attacks much harder to prevent.


(Log in to post comments)

If sensible authentication were used...

Posted May 27, 2010 13:57 UTC (Thu) by niner (subscriber, #26151) [Link]

Well HTTP authentication might be nice if it didn't have a serious drawback: it's just not possible to end a session. Mozilla used to be the only browser that I know of that ever had a logout button for HTTP authentication. It was removed in Firefox to simplify the user interface. You can still add it for example as part of the web developer extensions, but no normal user would have that.

Also it's not possible to end a session from the server side, since the browser is sending valid credentials with every request. It's just a NO GO from a security perspective.

If sensible authentication were used...

Posted May 27, 2010 14:56 UTC (Thu) by TRS-80 (subscriber, #1804) [Link]

They actually added it back in 3.0 as part of the "Clear Private Data..." interface. Also, it is possible to end it from the server side, but it requires a fair bit of hackery. There are plenty of other reasons not to use HTTP auth however, including the inflexibility of the browser UI for providing options like "new user" and "forgot my password".

If sensible authentication were used...

Posted Jun 1, 2010 16:15 UTC (Tue) by epa (subscriber, #39769) [Link]

Agreed. It would need the browser makers to get together to define a basic common interface for web authentication, into which site makers could plug their 'new user' and password reminder pages. Once it's widely deployed, security-conscious sites might start to use it.

If sensible authentication were used...

Posted Jun 1, 2010 16:43 UTC (Tue) by TRS-80 (subscriber, #1804) [Link]


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds