Note the keyword generic - it specifically does not replace the protocol
specific portions of 1738 and 1808.
Eric Hildum
> From: "Craig Dunn \(Chiizu\)" <craig@chiizu.com>
> Reply-To: keitai-l@appelsiini.net
> Date: Thu, 19 Oct 2000 10:37:24 +1000
> To: <keitai-l@appelsiini.net>
> Subject: (keitai-l) Re: defining feature
>
> http://www.ietf.org/rfc/rfc2396.txt?number=2396
> RFC2396 (August '98) "revises and replaces the generic definitions in RFC
> 1738 and RFC 1808" and also addresses the questions from the list.
>
> ...
> ss3.2.2
> Some URL schemes use the format "user:password" in the userinfo
> field. This practice is NOT RECOMMENDED, because the passing of
> authentication information in clear text (such as URI) has proven to
> be a security risk in almost every case where it has been used.
> ...
> ssG.2
> The "user:password" form in the previous BNF was changed to a
> "userinfo" token, and the possibility that it might be
> "user:password" made scheme specific. In particular, the use of
> passwords in the clear is not even suggested by the syntax.
> ...
>
> So yes, the user:password syntax is not secure; but yes it is valid syntax
> in HTTP (I think, for Basic Authentication at least) and shouldn't break the
> gateway or browser.
>
> Craig
>
>
>
Received on Thu Oct 19 02:44:11 2000