Re: Write-only form fields (was Re: Proposal for a credential management API.)

[Jacob S Hoffman-Andrews]

Your proposal decouples spec from implementation more than the 
placeholder approach does, which is good.


I think the CSP directive is unnecessary and makes things more 
fragile. The 'protect this credential from XSS' attribute should be 
a property of a stored credential, not a web site. If the site has 
the correct CSP headers on 99% of its website, but then for some 
reason doesn't have them on one page, that page is a potential 
vector to expose the credential.


I think making input fields write-only is more powerful than we 
strictly need. When a user is manually entering a password, it's 
okay for the page to be able to read the value they are typing in. 
If the page has been modified by an attacker at this point, it's too 
late.


What we want is a mechanism to specify 'once this value is stored in 
a password manager*, protect it from future JS on this page.' That's 
why I feel like it's relevant to define credential management APIs 
for the web.


*or credit card autofiller.

The write-only spec fully breaks XHR form submission (style C in my 
earlier mail). As Brian pointed out, the placeholder approach can be 
made to work with XHR if you're willing to do a little extra 
inspection of arbitrary XHRs.


Also, as you pointed out, write-only breaks client-side validation. 
Client-side validation is very broadly used for password strength 
meters during signup and change password. I think interfering with 
strength meters would make it a lot harder for implementers to adopt 
the spec.



I'm curious about the use cases for protecting the password from the webserver.

One common use case for client-side crypto is removing systems from 
scope in PCI (payment card industry) compliance. There's a set of 
standards related to the handling of credit/debit cards that involve 
auditing all systems that have card data. There are third-party 
services that offer compliance by having you encrypt card data in JS 
and pass it, encrypted, through all your non-compliant systems and 
into their secure vault where it is decrypted.

Re: Proposal for a credential management API.

[Jacob S Hoffman-Andrews]

I like the idea of standardizing some of the interactions between 
password managers and web sites.


I think we should strongly consider ways to integrate XSS 
mitigation. Hopefully before too long most people will be using a 
password manager. With most password managers, if there is a 
transient XSS on example.com, an attacker can use that XSS to trick 
the password manager into autofilling the password for example.com. 
This means, even though the XSS exposure might be temporary, the 
attackers can steal a large number of passwords, extending the 
attack window indefinitely.


Some other reasons that XSS + password stealing is worse than plain XSS:
 1) Passwords are often reused across web sites, so damage from 
password stealing spreads fast.
 2) When the XSS is fully client-side, it is impossible to figure 
out which users had their passwords stolen. There is no way to reset 
their passwords and they may remain compromised indefinitely.
 3) Sites often require re-entering passwords for privileged 
actions like changing email address or adding an SSH key. Adding 
password stealing to an XSS acts like privilege escalation, allowing 
actions that aren't possible with a plain XSS.


Cookies have a very similar problem. If an XSS can grab the user's 
authentication cookies, the attacker can prolong their attack even 
after the XSS hole is closed. Microsoft addressed the problem in 
2002 by adding the 'HttpOnly' flag for cookies in MSIE 6 SP 1. All 
browsers implement it now, to great effectiveness. At a past job, I 
fixed XSS for a top ten web site, and I can testify that it was 
incredibly valuable to know that attackers were not stealing our 
authentication cookies, because we set the HttpOnly flag..


There's no HttpOnly equivalent for password forms, but that's 
largely because password storage by the browser has never been 
specified. As long as we're trying to specify parts of that storage, 
I think we should strive for HttpOnly passwords. It's challenging 
because there are many different login techniques, but I think we 
can make it happen if web sites opt in.


I'd say there are approximately three styles for login form submission:
 A) No JS. A  with some 's that gets 
submitted when you click an .

 B) Some JS. A  that gets submitted by JS calling form.submit().
 C) All JS. A set of  whose contents are extracted by JS 
and POST'ed via XHR to the server.


Clearly we can't make C safe against XSS. But I think a lot of web 
sites currently use A or B, or would be willing to use them in 
exchange for better security.


Here's a rough idea: Define a new attribute 'httponly' for input 
elements. When a text input has httponly=true and the password 
manager saves the input value as a PendingCredential or a 
Credential, the password manager also stores an attribute 
httpOnly=true on the Credential. When the password manager autofills 
forms using a Credential with httpOnly=true, it should fill a 
placeholder value (possibly a numeric identifier for the 
Credential). When a form is submitted, the password manager should 
intercept the HTTP request and replace the placeholder value with 
the contents of the Credential.


Note that this proposal doesn't break password strength meters 
implemented in JS, because it only addresses subsequent autofills of 
credentials. The first time a password is entered, e.g. during 
signup or change password, it is still fully accessible to JS.


Thanks,
Jacob