> Where does the javascript come from ?
> How do you trust it is not going to send your password somewhere ?
> How do you trust another bug in the browser will not allow another "tab"
> top read the memory of the browser including your password or TGT ?
>
> There is a good reason crypto and keys on one side and javascript on the
> other should not come in contact, IMO.

Clearly there are potential problems. The question is, are they bigger problems 
than sending your password across the net? The first two questions are not 
specific to javascript, you should have the same concerns with any web password 
prompt, particularly those technologies which redirect browsers all over the 
internet. The last one is common to any session token you might have after 
authenticating. These are all high-visibility, well exercised regions of code 
which should get fixed quickly when a problem is detected.

How do you know openssl doesn't have another heartbleed bug in it?

Relevant question are: Given that a http basic auth challenge and the Kerberos 
javascript both would be protected/authenticated by the same SSL connection, is 
there a benefit to sending Kerberos exchanges instead of your password? Would 
implementing this strategy help reduce the number of websites which require 
their own user database, reducing user's exposure to ill-managed systems? (and 
if we assume they use the same password in more than one place: reduce the 
system manager's exposure to having someone else's compromised system plague my 
machines?)






This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 
immediately.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to