Re: disallowing userinfo in http and https URIs

On 2010/07/28 13:02, Mark Baker wrote:

> FWIW, we use this construct in the Akara HTTP server project, but
> those http URIs are only ever found in configuration files, never on
> the wire.
>
> The use of userinfo on the wire is obviously a security nightmare, and
> I welcome bold warnings about its use, but I wonder if requiring they
> be treated as erroneous is necessary, especially when there's so many
> existing agents which silently ignore it (just tested Firefox 3.6.8,
> latest Chrome beta, wget), or support it by initiating basic auth
> (curl).

I have only very limited experience with userinfo. However, the one I 
have doesn't suggest it gets disallowed. There is not much difference 
between sending passwords in clear in email as:

go to page http://foo.org/bar
user: us_only
password: secret

and:

go to page http://us_only:secret@foo.org/bar

when people are aware of the fact that this page isn't for everybody's 
eyes. However, the later is way more practical.

Regards,    Martin.

-- 
#-# Martin J. Dürst, Professor, Aoyama Gakuin University
#-# http://www.sw.it.aoyama.ac.jp   mailto:duerst@it.aoyama.ac.jp

Received on Wednesday, 28 July 2010 10:58:19 UTC