Re: Security Considerations re: Forms and PASSWORD input fields

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Gavin Nicol: "Re: Revised language on: ISO/IEC 10646 as Document Character Set"
• Previous message: David - Morris: "Sublists for focused topics [Was} Re: format nego in HTML/10646?"
• Maybe in reply to: Dan Connolly: "Security Considerations re: Forms and PASSWORD input fields"
• Next in thread: Murray Maloney: "Re: Security Considerations re: Forms and PASSWORD input fields"

>
> I kinda slipped this one in. What do you think?
>
> html-spec_3.html#SEC20
>
> |The widely deployed methods for submitting forms requests -- HTTP and
> |SMTP -- provide little assurance of confidentiality. Information
> |providers who request sensitive information via forms -- especially by
> |way of the `PASSWORD' type input field -- should be aware and make
> |their users aware of the lack of confidentiality.

I would prefer replacing "make their users aware" with "carefully consider
making their users aware". I would assert that the problem is no
worse than the telnet login with an unprotected password. But more
important is the question of whose information is being compromised if
the password (that is, masked input) is compromised. If the user's, then
the original wording is sufficient, if the information providers, then
they must determine and assume the risk.

Also, in this area, I think netscape provides a good example as to
notification. Intrusive but much safer than placing easy to ignore
words on a screen.

Dave Morris

• Next message: Gavin Nicol: "Re: Revised language on: ISO/IEC 10646 as Document Character Set"
• Previous message: David - Morris: "Sublists for focused topics [Was} Re: format nego in HTML/10646?"
• Maybe in reply to: Dan Connolly: "Security Considerations re: Forms and PASSWORD input fields"
• Next in thread: Murray Maloney: "Re: Security Considerations re: Forms and PASSWORD input fields"