Note the keyword generic - it specifically does not replace the protocol
specific portions of 1738 and 1808.
> From: "Craig Dunn \(Chiizu\)" <craig_at_chiizu.com>
> Reply-To: keitai-l_at_appelsiini.net
> Date: Thu, 19 Oct 2000 10:37:24 +1000
> To: <keitai-l_at_appelsiini.net>
> Subject: (keitai-l) Re: defining feature
> RFC2396 (August '98) "revises and replaces the generic definitions in RFC
> 1738 and RFC 1808" and also addresses the questions from the list.
> Some URL schemes use the format "user:password" in the userinfo
> field. This practice is NOT RECOMMENDED, because the passing of
> authentication information in clear text (such as URI) has proven to
> be a security risk in almost every case where it has been used.
> The "user:password" form in the previous BNF was changed to a
> "userinfo" token, and the possibility that it might be
> "user:password" made scheme specific. In particular, the use of
> passwords in the clear is not even suggested by the syntax.
> So yes, the user:password syntax is not secure; but yes it is valid syntax
> in HTTP (I think, for Basic Authentication at least) and shouldn't break the
> gateway or browser.
Received on Thu Oct 19 02:44:11 2000