Re: [apps-discuss] [http-auth] [saag] [websec] [kitten] HTTP authentication: the next generation

der Mouse <mouse@Rodents-Montreal.ORG> Thu, 16 December 2010 20:00 UTC

Return-Path: <mouse@Sparkle.Rodents-Montreal.ORG>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0DC0A3A69C5; Thu, 16 Dec 2010 12:00:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -8.7
X-Spam-Status: No, score=-8.7 tagged_above=-999 required=5 tests=[AWL=1.288, BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xuSzAo7VvG49; Thu, 16 Dec 2010 12:00:29 -0800 (PST)
Received: from Sparkle.Rodents-Montreal.ORG (Sparkle.Rodents-Montreal.ORG []) by (Postfix) with ESMTP id 2665E3A6A61; Thu, 16 Dec 2010 12:00:20 -0800 (PST)
Received: (from mouse@localhost) by Sparkle.Rodents-Montreal.ORG (8.8.8/8.8.8) id PAA04308; Thu, 16 Dec 2010 15:02:04 -0500 (EST)
Date: Thu, 16 Dec 2010 15:02:04 -0500
From: der Mouse <mouse@Rodents-Montreal.ORG>
Message-Id: <201012162002.PAA04308@Sparkle.Rodents-Montreal.ORG>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Erik-Conspiracy: There is no Conspiracy - and if there were I wouldn't be part of it anyway.
X-Message-Flag: Microsoft: the company who gave us the botnet zombies.
X-Composition-Start-Date: Thu, 16 Dec 2010 14:44:07 -0500 (EST)
To: Marsh Ray <>,,,,,,
In-Reply-To: <>
References: <> <p06240809c928635499e8@[]> <> <> <> <> <> <> <> <> <2229.1292235952.971571@puncture> <> <2229.1292239384.281779@puncture> <> <> <> <> <> <201012161827.NAA03511@Sparkle.Rodents-Montreal.ORG> <>
X-Mailman-Approved-At: Fri, 17 Dec 2010 14:11:55 -0800
Subject: Re: [apps-discuss] [http-auth] [saag] [websec] [kitten] HTTP authentication: the next generation
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 16 Dec 2010 20:00:31 -0000

> You've never signed up for a new account from a hotel or a public
> wifi?

I don't think so.  Most certainly not for an account of nontrivial
value (see below) without something at least as strong as ssh securing
the channel from a computer I trust (which is a subset of computers I
own and administer).

>> For all that that's rhetorical, there is an answer: because [initial
>> signup] occurs only once while [login] occurs many times.
> I bet for a lot of systems, people sign up once and try it out then
> go away and leave their accounts dormant.

You quite likely are right.  But in that case the account clearly is of
little value to the holder, so I have trouble getting too worried. :)

> Even still, how do you convince a web designer that they must give up
> their HTML login form for security when they have an HTML login form
> to choose the password in the first place?

Personally, I don't.  I mostly don't bother with Web stuff at all - you
may note that what I've said here is almost entirely non-Web-specific -
and _never_ do anything involving signups or the like "online"
(meaning, on the Web; I have done such things unsecured over the
Internet, such as creating a login on or creating
characters on muds - these are examples of accounts of trivial value).

But if someone were to argue that way with me, I'd basically just shrug
and let it go as "I pointed out the issues; if you want to ignore them
you may be right or you may get burned, and, if the latter, I feel no
responsibility for it".

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B