Is there a way that we can gather if people are using this for testing web
sites? This might account for those numbers.

For example, there is basic support, and I mean really basic support, in
Selenium to handle Basic auth and we suggest to people that setting up a
proxy in the middle to handle that handshake. I suspect in these cases
people won't have all the necessary security setup if it is behind some
kind of firewall. Just a thought.

David

On 11 June 2016 at 03:27, Jason Duell <jdu...@mozilla.com> wrote:

> This data also smells weird to me.  8% of pages using basic auth seems very
> very high, and only 0.7% of basic auth being done unencypted seems low.
>
> Perhaps we should chat in London (ideally with Honza Bambas) and make sure
> we're getting the telemetry right here.
>
> Jason
>
> On Fri, Jun 10, 2016 at 2:15 PM, Adam Roach <a...@mozilla.com> wrote:
>
> > On 4/18/16 09:59, Richard Barnes wrote:
> >
> >> Could we just disable HTTP auth for connections not protected with TLS?
> >> At
> >> least Basic auth is manifestly insecure over an insecure transport.  I
> >> don't have any usage statistics, but I suspect it's pretty low compared
> to
> >> form-based auth.
> >>
> >
> > As a follow up from this: we added telemetry to answer the exact question
> > about how prevalent Basic auth over non-TLS connections was. Now that 49
> is
> > off Nightly, I pulled the stats for our new little counter.
> >
> > It would appear telemetry was enabled for approximately 109M page
> > loads[1], of which approximately 8.7M[2] used HTTP auth -- or
> approximately
> > 8% of all pages. (This is much higher than I expected -- approximately 1
> > out of 12 page loads uses HTTP auth? It seems far less dead than we
> > anticipated).
> >
> > 749k of those were unencrypted basic auth[2]; this constitutes
> > approximately 0.7% of all recorded traffic.
> >
> > I'll look at the 49 Aurora stats when it has enough data -- it'll be
> > interesting to see how much if it is nontrivially different.
> >
> > /a
> >
> >
> > [1]
> >
> https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2016-06-06&keys=__none__!__none__!__none__&max_channel_version=nightly%252F49&measure=HTTP_PAGELOAD_IS_SSL&min_channel_version=null&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2016-05-04&table=0&trim=1&use_submission_date=0
> >
> > [2]
> >
> https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2016-06-06&keys=__none__!__none__!__none__&max_channel_version=nightly%252F49&measure=HTTP_AUTH_TYPE_STATS&min_channel_version=null&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2016-05-04&table=0&trim=1&use_submission_date=0
> >
> >
> > --
> > Adam Roach
> > Principal Platform Engineer
> > Office of the CTO
> > _______________________________________________
> > dev-platform mailing list
> > dev-platform@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-platform
> >
>
>
>
> --
>
> Jason
> _______________________________________________
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Reply via email to