RFC2396 (August '98) "revises and replaces the generic definitions in RFC
1738 and RFC 1808" and also addresses the questions from the list.
Some URL schemes use the format "user:password" in the userinfo
field. This practice is NOT RECOMMENDED, because the passing of
authentication information in clear text (such as URI) has proven to
be a security risk in almost every case where it has been used.
The "user:password" form in the previous BNF was changed to a
"userinfo" token, and the possibility that it might be
"user:password" made scheme specific. In particular, the use of
passwords in the clear is not even suggested by the syntax.
So yes, the user:password syntax is not secure; but yes it is valid syntax
in HTTP (I think, for Basic Authentication at least) and shouldn't break the
gateway or browser.
Received on Thu Oct 19 02:32:12 2000