Better HTML Form Cryptography November 11th, 2009

Everytime we submit a form over HTTP or HTTPS with our password, we present an opportunity for a man-in-the-middle to perform some voodoo and decipher our passwords. With SSL in shambles, and HTML Form “encryption” a complete obfuscatory waste of time, most of us turn to JavaScript to perform client-side authentication. I think authentication is pretty important, but I’ve not heard much about this relating to the proposed HTML5 specification.

The Problem

There are a lot of problems with web security, but the most important is when an attacker knows your password. It’s one thing for the attacker to compromise a key local to your server, such as by a replay attack, or through breaking your hashing algorithm(s), but to gain access to the plain-text password probably puts other accounts at risk. While we should all be using 100% unique passwords for every account we create, more importantly I think we shouldn’t be sending our password over the wire at all.

The Solution

As I mentioned, right now everyone is rolling their own implementations in JavaScript. Who knows how many different copies of MD5, SHA1, etc. are floating around in everyones caches. Nothing is shared, and browsers without JavaScript support are stuck in the plain-text password sending dark ages. As mentioned in this mailing list entry, support should be added to the INPUT tag in HTML. The effect would stop the contents of type=”password” elements from sending their contents, but instead send a Hash of the contents. The mailing list except also mentions using a Salt, which is probably worth doing, but I think the concept of a truly private key is warranted.

Shouldn’t HTTPS solve this?

Probably, but there is still no good reason to be giving out a plain-text version of your passwords.

Can’t an attacker just mitigate this?

This was a topic of debate during my conversations in the IRC channel. Indeed, a man-in-the-middle attacker that has control over content could modify the HTML to not include a hash attribute, and redirect the insecure form submission to another server, thus giving the attacker the plain-text password. This attack relies on the old technology, which should be deprecated, and eventually removed.

Symphony of Science November 7th, 2009

CalculatorWhile browsing YouTube I found a video that took the great popular scientist Carl Sagan (RIP) and transformed his thoughts into song. The video was made by John Boswell of Symphony of Science. I found it ironic that I liked the use of the auto-tune feature, while I hate with a passion T-Pain, who’s Wikipedia article lists his “Instrument” as Auto-Tune. The idea of hearing something that Sagan, Hawking, or another brilliant mind said, instead of half-constructed ramblings of a musical artist is appealing. (For the record T-Pain and other artists may be making stupid music, but they’re making serious bank while doing it, so my hat’s off to them in that regard)

Out of random chance I happened to remember the name of the video and showed it to a good amount of people throughout the day. We all had a fun time with it, but nobody knew anything about Symphony of Science, or the idea of there being more videos to come in the future. Later John released We’re All Connected, returning with Sagan and folk, including Bill Nye. After seeing this video, I don’t think John is going to have a problem finding amazingly elegant and on-topic sound bytes to mix and match together. So far most of us like Glorious Dawn more than We’re All Connected, but the fact that I have to pause and think about it means both are obviously awesome.

Secret ACTA Legislation Leaked Would Kill Dynamic Content November 4th, 2009

LibertyYou might have heard me ranting about the new administration wearing the old “national security” hat to keep information about the Anti-Counterfeiting Trade Agreement (ACTA) a secret. Information about the agreement was released to a select group of organizations with watermarks to “protect” from sharing, and they all required NDAs. Thankfully it’s been leaked and we’ve got a chance to see what’s happening before it’s too late.

To start with it’s pathetic that we have to read legislation drafted by public officials we elected in the form of a controversial leak. Also irritating is that this is obviously a Copyright agreement, not a Counterfeit agreement. Not surprisingly the representatives involved received over $250,000 in “donations” from media corporations over the past 2 years, based on research I conducted on OpenSecrets.org. The usual players: Time Warner, News Corp, Sony, and Disney.