Everytime we submit a form over HTTP or HTTPS with our password, we present an opportunity for a man-in-the-middle to perform some voodoo and decipher our passwords. With SSL in shambles, and HTML Form “encryption” a complete obfuscatory waste of time, most of us turn to JavaScript to perform client-side authentication. I think authentication is pretty important, but I’ve not heard much about this relating to the proposed HTML5 specification.
The Problem
There are a lot of problems with web security, but the most important is when an attacker knows your password. It’s one thing for the attacker to compromise a key local to your server, such as by a replay attack, or through breaking your hashing algorithm(s), but to gain access to the plain-text password probably puts other accounts at risk. While we should all be using 100% unique passwords for every account we create, more importantly I think we shouldn’t be sending our password over the wire at all.
The Solution
As I mentioned, right now everyone is rolling their own implementations in JavaScript. Who knows how many different copies of MD5, SHA1, etc. are floating around in everyones caches. Nothing is shared, and browsers without JavaScript support are stuck in the plain-text password sending dark ages. As mentioned in this mailing list entry, support should be added to the INPUT tag in HTML. The effect would stop the contents of type=”password” elements from sending their contents, but instead send a Hash of the contents. The mailing list except also mentions using a Salt, which is probably worth doing, but I think the concept of a truly private key is warranted.
Shouldn’t HTTPS solve this?
Probably, but there is still no good reason to be giving out a plain-text version of your passwords.
Can’t an attacker just mitigate this?
This was a topic of debate during my conversations in the IRC channel. Indeed, a man-in-the-middle attacker that has control over content could modify the HTML to not include a hash attribute, and redirect the insecure form submission to another server, thus giving the attacker the plain-text password. This attack relies on the old technology, which should be deprecated, and eventually removed.