Re: Basic Auth Prevalence (was Re: Intent to ship: Treat cookies set over non-secure HTTP as session cookies)

Mon, 13 Jun 2016 01:55:14 -0700 

On 11/06/2016 03:27, Jason Duell wrote:

This data also smells weird to me.  8% of pages using basic auth seems very
very high, and only 0.7% of basic auth being done unencypted seems low.



Nitpick: it's 0.7% of total traffic - 749k / 8.7 million ~> 8.6% of 
basic auth is over unencrypted connections.


~ Gijs



Perhaps we should chat in London (ideally with Honza Bambas) and make sure
we're getting the telemetry right here.

Jason

On Fri, Jun 10, 2016 at 2:15 PM, Adam Roach <a...@mozilla.com> wrote:


On 4/18/16 09:59, Richard Barnes wrote:


Could we just disable HTTP auth for connections not protected with TLS?
At
least Basic auth is manifestly insecure over an insecure transport.  I
don't have any usage statistics, but I suspect it's pretty low compared to
form-based auth.



As a follow up from this: we added telemetry to answer the exact question
about how prevalent Basic auth over non-TLS connections was. Now that 49 is
off Nightly, I pulled the stats for our new little counter.

It would appear telemetry was enabled for approximately 109M page
loads[1], of which approximately 8.7M[2] used HTTP auth -- or approximately
8% of all pages. (This is much higher than I expected -- approximately 1
out of 12 page loads uses HTTP auth? It seems far less dead than we
anticipated).

749k of those were unencrypted basic auth[2]; this constitutes
approximately 0.7% of all recorded traffic.

I'll look at the 49 Aurora stats when it has enough data -- it'll be
interesting to see how much if it is nontrivially different.

/a


[1]
https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2016-06-06&keys=__none__!__none__!__none__&max_channel_version=nightly%252F49&measure=HTTP_PAGELOAD_IS_SSL&min_channel_version=null&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2016-05-04&table=0&trim=1&use_submission_date=0

[2]
https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2016-06-06&keys=__none__!__none__!__none__&max_channel_version=nightly%252F49&measure=HTTP_AUTH_TYPE_STATS&min_channel_version=null&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2016-05-04&table=0&trim=1&use_submission_date=0


--
Adam Roach
Principal Platform Engineer
Office of the CTO
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform







_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
























					Reply via email to