Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Idea for improving password security in the web
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Isaac Boukris via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 4 Jul 2022 13:27:17 +0300
On Mon, Jul 4, 2022 at 12:58 PM Daniel F via curl-library
<curl-library_at_lists.haxx.se> wrote:
>
> W dniu 2022-07-04 11:09, Daniel Stenberg via curl-library napisaĆ(a):
> > On Sat, 25 Jun 2022, Isaac Boukris via curl-library wrote:
> >
> >> The idea is to add a new HTTP authentication scheme, where the browser
> >> will make sure the prompt to enter the password has a distinguish UI
> >> which cannot be faked with javascript or anything
> >
> > I've been told many times that one of the primary reasons HTTP based
> > auth mechnisms have failed compared to POST + cookies, is this reason:
> > that web site designers prefer a system where they can design the
> > crendential prompt to their liking and *not* rely on the stiff and
> > ugly same-for-everyone popup-window the browsers provide. (Another big
> > reason being that the HTTP auths don't have a proper "logout" action
> > or expiry the easy way cookies do.)
The authentication page could yield a cookie so logouts could still be
implemented the same as today.
> Looks that browsers need some way to make default login popup
> customization. Every browser should use the same HTML code to describe
> contents of this popup. It also should be possible to create CSS sheet
> which would be loaded into that popup, so every website could customize
> how it looks.
>
> Browsers also may provide some "login form" control which could be added
> to the page, with predefined way to style it with CSS. It should be a
> black box for JS, so scripts could not access and modify login data.
Yeah, some customization could be allowed I guess, as long as it is
kept quite distinct - admittedly this part would be more of a
challenge for actual browsers.
Date: Mon, 4 Jul 2022 13:27:17 +0300
On Mon, Jul 4, 2022 at 12:58 PM Daniel F via curl-library
<curl-library_at_lists.haxx.se> wrote:
>
> W dniu 2022-07-04 11:09, Daniel Stenberg via curl-library napisaĆ(a):
> > On Sat, 25 Jun 2022, Isaac Boukris via curl-library wrote:
> >
> >> The idea is to add a new HTTP authentication scheme, where the browser
> >> will make sure the prompt to enter the password has a distinguish UI
> >> which cannot be faked with javascript or anything
> >
> > I've been told many times that one of the primary reasons HTTP based
> > auth mechnisms have failed compared to POST + cookies, is this reason:
> > that web site designers prefer a system where they can design the
> > crendential prompt to their liking and *not* rely on the stiff and
> > ugly same-for-everyone popup-window the browsers provide. (Another big
> > reason being that the HTTP auths don't have a proper "logout" action
> > or expiry the easy way cookies do.)
The authentication page could yield a cookie so logouts could still be
implemented the same as today.
> Looks that browsers need some way to make default login popup
> customization. Every browser should use the same HTML code to describe
> contents of this popup. It also should be possible to create CSS sheet
> which would be loaded into that popup, so every website could customize
> how it looks.
>
> Browsers also may provide some "login form" control which could be added
> to the page, with predefined way to style it with CSS. It should be a
> black box for JS, so scripts could not access and modify login data.
Yeah, some customization could be allowed I guess, as long as it is
kept quite distinct - admittedly this part would be more of a
challenge for actual browsers.
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2022-07-04