(keitai-l) Re: defining feature

From: Craig Dunn \(Chiizu\) <craig_at_chiizu.com>
Date: 10/19/00
Message-ID: <LPBBJHDMHIIMCADKJOIMGEJKCFAA.craig@chiizu.com>
http://www.ietf.org/rfc/rfc2396.txt?number=2396
RFC2396 (August '98) "revises and replaces the generic definitions in RFC
1738 and RFC 1808" and also addresses the questions from the list.

...
ss3.2.2
   Some URL schemes use the format "user:password" in the userinfo
   field. This practice is NOT RECOMMENDED, because the passing of
   authentication information in clear text (such as URI) has proven to
   be a security risk in almost every case where it has been used.
...
ssG.2
   The "user:password" form in the previous BNF was changed to a
   "userinfo" token, and the possibility that it might be
   "user:password" made scheme specific. In particular, the use of
   passwords in the clear is not even suggested by the syntax.
...

So yes, the user:password syntax is not secure; but yes it is valid syntax
in HTTP (I think, for Basic Authentication at least) and shouldn't break the
gateway or browser.

Craig
Received on Thu Oct 19 02:32:12 2000