W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2010

Re: disallowing userinfo in http and https URIs

From: Martin J. Dürst <duerst@it.aoyama.ac.jp>
Date: Wed, 28 Jul 2010 19:57:26 +0900
Message-ID: <4C500D16.9000201@it.aoyama.ac.jp>
To: Mark Baker <mark@zepheira.com>
CC: "Roy T. Fielding" <fielding@gbiv.com>, HTTP Working Group <ietf-http-wg@w3.org>


On 2010/07/28 13:02, Mark Baker wrote:

> FWIW, we use this construct in the Akara HTTP server project, but
> those http URIs are only ever found in configuration files, never on
> the wire.
>
> The use of userinfo on the wire is obviously a security nightmare, and
> I welcome bold warnings about its use, but I wonder if requiring they
> be treated as erroneous is necessary, especially when there's so many
> existing agents which silently ignore it (just tested Firefox 3.6.8,
> latest Chrome beta, wget), or support it by initiating basic auth
> (curl).

I have only very limited experience with userinfo. However, the one I 
have doesn't suggest it gets disallowed. There is not much difference 
between sending passwords in clear in email as:

go to page http://foo.org/bar
user: us_only
password: secret

and:

go to page http://us_only:secret@foo.org/bar

when people are aware of the fact that this page isn't for everybody's 
eyes. However, the later is way more practical.

Regards,    Martin.

-- 
#-# Martin J. Dürst, Professor, Aoyama Gakuin University
#-# http://www.sw.it.aoyama.ac.jp   mailto:duerst@it.aoyama.ac.jp
Received on Wednesday, 28 July 2010 10:58:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:24 GMT