[Freeipa-users] Ipsilon and WebAthena

[Nordgren, Bryce L -FS]

> Where does the javascript come from ?
> How do you trust it is not going to send your password somewhere ?
> How do you trust another bug in the browser will not allow another "tab"
> top read the memory of the browser including your password or TGT ?
>
> There is a good reason crypto and keys on one side and javascript on the
> other should not come in contact, IMO.

Clearly there are potential problems. The question is, are they bigger problems than sending your password across the net? The first two questions are not specific to javascript, you should have the same concerns with any web password prompt, particularly those technologies which redirect browsers all over the internet. The last one is common to any session token you might have after authenticating. These are all high-visibility, well exercised regions of code which should get fixed quickly when a problem is detected.

How do you know openssl doesn't have another heartbleed bug in it?

Relevant question are: Given that a http basic auth challenge and the Kerberos javascript both would be protected/authenticated by the same SSL connection, is there a benefit to sending Kerberos exchanges instead of your password? Would implementing this strategy help reduce the number of websites which require their own user database, reducing user's exposure to ill-managed systems? (and if we assume they use the same password in more than one place: reduce the system manager's exposure to having someone else's compromised system plague my machines?)






This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.