Is there a way that we can gather if people are using this for testing web sites? This might account for those numbers.
For example, there is basic support, and I mean really basic support, in Selenium to handle Basic auth and we suggest to people that setting up a proxy in the middle to handle that handshake. I suspect in these cases people won't have all the necessary security setup if it is behind some kind of firewall. Just a thought. David On 11 June 2016 at 03:27, Jason Duell <jdu...@mozilla.com> wrote: > This data also smells weird to me. 8% of pages using basic auth seems very > very high, and only 0.7% of basic auth being done unencypted seems low. > > Perhaps we should chat in London (ideally with Honza Bambas) and make sure > we're getting the telemetry right here. > > Jason > > On Fri, Jun 10, 2016 at 2:15 PM, Adam Roach <a...@mozilla.com> wrote: > > > On 4/18/16 09:59, Richard Barnes wrote: > > > >> Could we just disable HTTP auth for connections not protected with TLS? > >> At > >> least Basic auth is manifestly insecure over an insecure transport. I > >> don't have any usage statistics, but I suspect it's pretty low compared > to > >> form-based auth. > >> > > > > As a follow up from this: we added telemetry to answer the exact question > > about how prevalent Basic auth over non-TLS connections was. Now that 49 > is > > off Nightly, I pulled the stats for our new little counter. > > > > It would appear telemetry was enabled for approximately 109M page > > loads[1], of which approximately 8.7M[2] used HTTP auth -- or > approximately > > 8% of all pages. (This is much higher than I expected -- approximately 1 > > out of 12 page loads uses HTTP auth? It seems far less dead than we > > anticipated). > > > > 749k of those were unencrypted basic auth[2]; this constitutes > > approximately 0.7% of all recorded traffic. > > > > I'll look at the 49 Aurora stats when it has enough data -- it'll be > > interesting to see how much if it is nontrivially different. > > > > /a > > > > > > [1] > > > https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2016-06-06&keys=__none__!__none__!__none__&max_channel_version=nightly%252F49&measure=HTTP_PAGELOAD_IS_SSL&min_channel_version=null&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2016-05-04&table=0&trim=1&use_submission_date=0 > > > > [2] > > > https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2016-06-06&keys=__none__!__none__!__none__&max_channel_version=nightly%252F49&measure=HTTP_AUTH_TYPE_STATS&min_channel_version=null&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2016-05-04&table=0&trim=1&use_submission_date=0 > > > > > > -- > > Adam Roach > > Principal Platform Engineer > > Office of the CTO > > _______________________________________________ > > dev-platform mailing list > > dev-platform@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-platform > > > > > > -- > > Jason > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
