I concur. 1 in every 12 loads require an HTTP auth prompt? Seems very high. Visual inspection of the probe implementations [1] [2] show no obvious faults, so I'm not sure what's going on here.
[1] https://dxr.mozilla.org/mozilla-central/source/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp#782 [2] https://dxr.mozilla.org/mozilla-central/source/netwerk/protocol/http/nsHttpChannel.cpp#1608 On Mon, Jun 13, 2016 at 7:22 AM, David Burns <dbu...@mozilla.com> wrote: > Is there a way that we can gather if people are using this for testing web > sites? This might account for those numbers. > > For example, there is basic support, and I mean really basic support, in > Selenium to handle Basic auth and we suggest to people that setting up a > proxy in the middle to handle that handshake. I suspect in these cases > people won't have all the necessary security setup if it is behind some > kind of firewall. Just a thought. > > David > > On 11 June 2016 at 03:27, Jason Duell <jdu...@mozilla.com> wrote: > > > This data also smells weird to me. 8% of pages using basic auth seems > very > > very high, and only 0.7% of basic auth being done unencypted seems low. > > > > Perhaps we should chat in London (ideally with Honza Bambas) and make > sure > > we're getting the telemetry right here. > > > > Jason > > > > On Fri, Jun 10, 2016 at 2:15 PM, Adam Roach <a...@mozilla.com> wrote: > > > > > On 4/18/16 09:59, Richard Barnes wrote: > > > > > >> Could we just disable HTTP auth for connections not protected with > TLS? > > >> At > > >> least Basic auth is manifestly insecure over an insecure transport. I > > >> don't have any usage statistics, but I suspect it's pretty low > compared > > to > > >> form-based auth. > > >> > > > > > > As a follow up from this: we added telemetry to answer the exact > question > > > about how prevalent Basic auth over non-TLS connections was. Now that > 49 > > is > > > off Nightly, I pulled the stats for our new little counter. > > > > > > It would appear telemetry was enabled for approximately 109M page > > > loads[1], of which approximately 8.7M[2] used HTTP auth -- or > > approximately > > > 8% of all pages. (This is much higher than I expected -- approximately > 1 > > > out of 12 page loads uses HTTP auth? It seems far less dead than we > > > anticipated). > > > > > > 749k of those were unencrypted basic auth[2]; this constitutes > > > approximately 0.7% of all recorded traffic. > > > > > > I'll look at the 49 Aurora stats when it has enough data -- it'll be > > > interesting to see how much if it is nontrivially different. > > > > > > /a > > > > > > > > > [1] > > > > > > https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2016-06-06&keys=__none__!__none__!__none__&max_channel_version=nightly%252F49&measure=HTTP_PAGELOAD_IS_SSL&min_channel_version=null&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2016-05-04&table=0&trim=1&use_submission_date=0 > > > > > > [2] > > > > > > https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2016-06-06&keys=__none__!__none__!__none__&max_channel_version=nightly%252F49&measure=HTTP_AUTH_TYPE_STATS&min_channel_version=null&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2016-05-04&table=0&trim=1&use_submission_date=0 > > > > > > > > > -- > > > Adam Roach > > > Principal Platform Engineer > > > Office of the CTO > > > _______________________________________________ > > > dev-platform mailing list > > > dev-platform@lists.mozilla.org > > > https://lists.mozilla.org/listinfo/dev-platform > > > > > > > > > > > -- > > > > Jason > > _______________________________________________ > > dev-platform mailing list > > dev-platform@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-platform > > > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform