On 4/18/16 09:59, Richard Barnes wrote:
Could we just disable HTTP auth for connections not protected with TLS? At
least Basic auth is manifestly insecure over an insecure transport. I
don't have any usage statistics, but I suspect it's pretty low compared to
form-based auth.
As a follow up from this: we added telemetry to answer the exact
question about how prevalent Basic auth over non-TLS connections was.
Now that 49 is off Nightly, I pulled the stats for our new little counter.
It would appear telemetry was enabled for approximately 109M page
loads[1], of which approximately 8.7M[2] used HTTP auth -- or
approximately 8% of all pages. (This is much higher than I expected --
approximately 1 out of 12 page loads uses HTTP auth? It seems far less
dead than we anticipated).
749k of those were unencrypted basic auth[2]; this constitutes
approximately 0.7% of all recorded traffic.
I'll look at the 49 Aurora stats when it has enough data -- it'll be
interesting to see how much if it is nontrivially different.
/a
[1]
https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2016-06-06&keys=__none__!__none__!__none__&max_channel_version=nightly%252F49&measure=HTTP_PAGELOAD_IS_SSL&min_channel_version=null&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2016-05-04&table=0&trim=1&use_submission_date=0
[2]
https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2016-06-06&keys=__none__!__none__!__none__&max_channel_version=nightly%252F49&measure=HTTP_AUTH_TYPE_STATS&min_channel_version=null&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2016-05-04&table=0&trim=1&use_submission_date=0
--
Adam Roach
Principal Platform Engineer
Office of the CTO
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
