Re: Basic Auth Prevalence (was Re: Intent to ship: Treat cookies set over non-secure HTTP as session cookies)
I concur. 1 in every 12 loads require an HTTP auth prompt? Seems very high. Visual inspection of the probe implementations [1] [2] show no obvious faults, so I'm not sure what's going on here. [1] https://dxr.mozilla.org/mozilla-central/source/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp#782 [2] https://dxr.mozilla.org/mozilla-central/source/netwerk/protocol/http/nsHttpChannel.cpp#1608 On Mon, Jun 13, 2016 at 7:22 AM, David Burnswrote: > Is there a way that we can gather if people are using this for testing web > sites? This might account for those numbers. > > For example, there is basic support, and I mean really basic support, in > Selenium to handle Basic auth and we suggest to people that setting up a > proxy in the middle to handle that handshake. I suspect in these cases > people won't have all the necessary security setup if it is behind some > kind of firewall. Just a thought. > > David > > On 11 June 2016 at 03:27, Jason Duell wrote: > > > This data also smells weird to me. 8% of pages using basic auth seems > very > > very high, and only 0.7% of basic auth being done unencypted seems low. > > > > Perhaps we should chat in London (ideally with Honza Bambas) and make > sure > > we're getting the telemetry right here. > > > > Jason > > > > On Fri, Jun 10, 2016 at 2:15 PM, Adam Roach wrote: > > > > > On 4/18/16 09:59, Richard Barnes wrote: > > > > > >> Could we just disable HTTP auth for connections not protected with > TLS? > > >> At > > >> least Basic auth is manifestly insecure over an insecure transport. I > > >> don't have any usage statistics, but I suspect it's pretty low > compared > > to > > >> form-based auth. > > >> > > > > > > As a follow up from this: we added telemetry to answer the exact > question > > > about how prevalent Basic auth over non-TLS connections was. Now that > 49 > > is > > > off Nightly, I pulled the stats for our new little counter. > > > > > > It would appear telemetry was enabled for approximately 109M page > > > loads[1], of which approximately 8.7M[2] used HTTP auth -- or > > approximately > > > 8% of all pages. (This is much higher than I expected -- approximately > 1 > > > out of 12 page loads uses HTTP auth? It seems far less dead than we > > > anticipated). > > > > > > 749k of those were unencrypted basic auth[2]; this constitutes > > > approximately 0.7% of all recorded traffic. > > > > > > I'll look at the 49 Aurora stats when it has enough data -- it'll be > > > interesting to see how much if it is nontrivially different. > > > > > > /a > > > > > > > > > [1] > > > > > > https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0_date=2016-06-06=__none__!__none__!__none___channel_version=nightly%252F49=HTTP_PAGELOAD_IS_SSL_channel_version=null=Firefox=1_keys=submissions_date=2016-05-04=0=1_submission_date=0 > > > > > > [2] > > > > > > https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0_date=2016-06-06=__none__!__none__!__none___channel_version=nightly%252F49=HTTP_AUTH_TYPE_STATS_channel_version=null=Firefox=1_keys=submissions_date=2016-05-04=0=1_submission_date=0 > > > > > > > > > -- > > > Adam Roach > > > Principal Platform Engineer > > > Office of the CTO > > > ___ > > > dev-platform mailing list > > > dev-platform@lists.mozilla.org > > > https://lists.mozilla.org/listinfo/dev-platform > > > > > > > > > > > -- > > > > Jason > > ___ > > dev-platform mailing list > > dev-platform@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-platform > > > ___ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Basic Auth Prevalence (was Re: Intent to ship: Treat cookies set over non-secure HTTP as session cookies)
Is there a way that we can gather if people are using this for testing web sites? This might account for those numbers. For example, there is basic support, and I mean really basic support, in Selenium to handle Basic auth and we suggest to people that setting up a proxy in the middle to handle that handshake. I suspect in these cases people won't have all the necessary security setup if it is behind some kind of firewall. Just a thought. David On 11 June 2016 at 03:27, Jason Duellwrote: > This data also smells weird to me. 8% of pages using basic auth seems very > very high, and only 0.7% of basic auth being done unencypted seems low. > > Perhaps we should chat in London (ideally with Honza Bambas) and make sure > we're getting the telemetry right here. > > Jason > > On Fri, Jun 10, 2016 at 2:15 PM, Adam Roach wrote: > > > On 4/18/16 09:59, Richard Barnes wrote: > > > >> Could we just disable HTTP auth for connections not protected with TLS? > >> At > >> least Basic auth is manifestly insecure over an insecure transport. I > >> don't have any usage statistics, but I suspect it's pretty low compared > to > >> form-based auth. > >> > > > > As a follow up from this: we added telemetry to answer the exact question > > about how prevalent Basic auth over non-TLS connections was. Now that 49 > is > > off Nightly, I pulled the stats for our new little counter. > > > > It would appear telemetry was enabled for approximately 109M page > > loads[1], of which approximately 8.7M[2] used HTTP auth -- or > approximately > > 8% of all pages. (This is much higher than I expected -- approximately 1 > > out of 12 page loads uses HTTP auth? It seems far less dead than we > > anticipated). > > > > 749k of those were unencrypted basic auth[2]; this constitutes > > approximately 0.7% of all recorded traffic. > > > > I'll look at the 49 Aurora stats when it has enough data -- it'll be > > interesting to see how much if it is nontrivially different. > > > > /a > > > > > > [1] > > > https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0_date=2016-06-06=__none__!__none__!__none___channel_version=nightly%252F49=HTTP_PAGELOAD_IS_SSL_channel_version=null=Firefox=1_keys=submissions_date=2016-05-04=0=1_submission_date=0 > > > > [2] > > > https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0_date=2016-06-06=__none__!__none__!__none___channel_version=nightly%252F49=HTTP_AUTH_TYPE_STATS_channel_version=null=Firefox=1_keys=submissions_date=2016-05-04=0=1_submission_date=0 > > > > > > -- > > Adam Roach > > Principal Platform Engineer > > Office of the CTO > > ___ > > dev-platform mailing list > > dev-platform@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-platform > > > > > > -- > > Jason > ___ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Basic Auth Prevalence (was Re: Intent to ship: Treat cookies set over non-secure HTTP as session cookies)
On 11/06/2016 03:27, Jason Duell wrote: This data also smells weird to me. 8% of pages using basic auth seems very very high, and only 0.7% of basic auth being done unencypted seems low. Nitpick: it's 0.7% of total traffic - 749k / 8.7 million ~> 8.6% of basic auth is over unencrypted connections. ~ Gijs Perhaps we should chat in London (ideally with Honza Bambas) and make sure we're getting the telemetry right here. Jason On Fri, Jun 10, 2016 at 2:15 PM, Adam Roachwrote: On 4/18/16 09:59, Richard Barnes wrote: Could we just disable HTTP auth for connections not protected with TLS? At least Basic auth is manifestly insecure over an insecure transport. I don't have any usage statistics, but I suspect it's pretty low compared to form-based auth. As a follow up from this: we added telemetry to answer the exact question about how prevalent Basic auth over non-TLS connections was. Now that 49 is off Nightly, I pulled the stats for our new little counter. It would appear telemetry was enabled for approximately 109M page loads[1], of which approximately 8.7M[2] used HTTP auth -- or approximately 8% of all pages. (This is much higher than I expected -- approximately 1 out of 12 page loads uses HTTP auth? It seems far less dead than we anticipated). 749k of those were unencrypted basic auth[2]; this constitutes approximately 0.7% of all recorded traffic. I'll look at the 49 Aurora stats when it has enough data -- it'll be interesting to see how much if it is nontrivially different. /a [1] https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0_date=2016-06-06=__none__!__none__!__none___channel_version=nightly%252F49=HTTP_PAGELOAD_IS_SSL_channel_version=null=Firefox=1_keys=submissions_date=2016-05-04=0=1_submission_date=0 [2] https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0_date=2016-06-06=__none__!__none__!__none___channel_version=nightly%252F49=HTTP_AUTH_TYPE_STATS_channel_version=null=Firefox=1_keys=submissions_date=2016-05-04=0=1_submission_date=0 -- Adam Roach Principal Platform Engineer Office of the CTO ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Basic Auth Prevalence (was Re: Intent to ship: Treat cookies set over non-secure HTTP as session cookies)
This data also smells weird to me. 8% of pages using basic auth seems very very high, and only 0.7% of basic auth being done unencypted seems low. Perhaps we should chat in London (ideally with Honza Bambas) and make sure we're getting the telemetry right here. Jason On Fri, Jun 10, 2016 at 2:15 PM, Adam Roachwrote: > On 4/18/16 09:59, Richard Barnes wrote: > >> Could we just disable HTTP auth for connections not protected with TLS? >> At >> least Basic auth is manifestly insecure over an insecure transport. I >> don't have any usage statistics, but I suspect it's pretty low compared to >> form-based auth. >> > > As a follow up from this: we added telemetry to answer the exact question > about how prevalent Basic auth over non-TLS connections was. Now that 49 is > off Nightly, I pulled the stats for our new little counter. > > It would appear telemetry was enabled for approximately 109M page > loads[1], of which approximately 8.7M[2] used HTTP auth -- or approximately > 8% of all pages. (This is much higher than I expected -- approximately 1 > out of 12 page loads uses HTTP auth? It seems far less dead than we > anticipated). > > 749k of those were unencrypted basic auth[2]; this constitutes > approximately 0.7% of all recorded traffic. > > I'll look at the 49 Aurora stats when it has enough data -- it'll be > interesting to see how much if it is nontrivially different. > > /a > > > [1] > https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0_date=2016-06-06=__none__!__none__!__none___channel_version=nightly%252F49=HTTP_PAGELOAD_IS_SSL_channel_version=null=Firefox=1_keys=submissions_date=2016-05-04=0=1_submission_date=0 > > [2] > https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0_date=2016-06-06=__none__!__none__!__none___channel_version=nightly%252F49=HTTP_AUTH_TYPE_STATS_channel_version=null=Firefox=1_keys=submissions_date=2016-05-04=0=1_submission_date=0 > > > -- > Adam Roach > Principal Platform Engineer > Office of the CTO > ___ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > -- Jason ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform