[cosmo-dev] Basic Auth is sooo 1996

[Matthew Eernisse]

Travis,

Thanks for keeping the overall auth/security thing on your radar as well 
as you're trudging through all this encoding stuff.

Travis Vachon wrote:
> 1) Make the tweak to our client side base64 encoding algorithm to get 
> this working in our application
> 2) I think this provides yet another reason we should look into 
> alternate authentication mechanisms a la WSSE 
> (http://www.xml.com/pub/a/2003/12/17/dive.html) or Google's 
> authentication scheme. The first step I'd like to take in this vein is 
> to read some of the archives of the ietf-http-auth mailing list to come 
> up to speed on http authentication proposals and report back here.

+1 on the idea of doing what tweaks we can to what we have now if it's 
easy to do.

I'm guessing other auth schemes like WSSE would still require a 
plaintext equivalent of password to be kept somewhere on the client, 
correct?

I realize this is kind of tangential to the discussion, but it occurs to 
me that we've been ignoring a pretty obvious and fairly secure way to 
store those creds client-side, since JS gives us real private vars with 
inner scope:

var authThing = new function () {
   var plaintextPass = '';
   this.storePass = function (str) {
     plaintextPass = str;
   };
   this.doAuthStuff = function () {
     // Do stuff with plaintextPass
   };
};

I'm pretty sure that would keep it secure from most casual attempts to 
grab it. I can't think of anything short of some kind of prototype 
hijacking that would get you access to it.

Obviously there are various levels of "secureness" -- I have always been 
mostly concerned about the ease of access we have now for someone who 
can quickly sit down and type "javascript:" into a location bar. Seems 
like an approach like this would close at least that kind of hole.

Thoughts?


Matthew