http://www.ietf.org/rfc/rfc2396.txt?number=2396
RFC2396 (August '98) "revises and replaces the generic definitions in RFC
1738 and RFC 1808" and also addresses the questions from the list.
...
ss3.2.2
Some URL schemes use the format "user:password" in the userinfo
field. This practice is NOT RECOMMENDED, because the passing of
authentication information in clear text (such as URI) has proven to
be a security risk in almost every case where it has been used.
...
ssG.2
The "user:password" form in the previous BNF was changed to a
"userinfo" token, and the possibility that it might be
"user:password" made scheme specific. In particular, the use of
passwords in the clear is not even suggested by the syntax.
...
So yes, the user:password syntax is not secure; but yes it is valid syntax
in HTTP (I think, for Basic Authentication at least) and shouldn't break the
gateway or browser.
Craig
Received on Thu Oct 19 02:32:12 2000