This data also smells weird to me. 8% of pages using basic auth seems very very high, and only 0.7% of basic auth being done unencypted seems low.
Perhaps we should chat in London (ideally with Honza Bambas) and make sure we're getting the telemetry right here. Jason On Fri, Jun 10, 2016 at 2:15 PM, Adam Roach <a...@mozilla.com> wrote: > On 4/18/16 09:59, Richard Barnes wrote: > >> Could we just disable HTTP auth for connections not protected with TLS? >> At >> least Basic auth is manifestly insecure over an insecure transport. I >> don't have any usage statistics, but I suspect it's pretty low compared to >> form-based auth. >> > > As a follow up from this: we added telemetry to answer the exact question > about how prevalent Basic auth over non-TLS connections was. Now that 49 is > off Nightly, I pulled the stats for our new little counter. > > It would appear telemetry was enabled for approximately 109M page > loads[1], of which approximately 8.7M[2] used HTTP auth -- or approximately > 8% of all pages. (This is much higher than I expected -- approximately 1 > out of 12 page loads uses HTTP auth? It seems far less dead than we > anticipated). > > 749k of those were unencrypted basic auth[2]; this constitutes > approximately 0.7% of all recorded traffic. > > I'll look at the 49 Aurora stats when it has enough data -- it'll be > interesting to see how much if it is nontrivially different. > > /a > > > [1] > https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2016-06-06&keys=__none__!__none__!__none__&max_channel_version=nightly%252F49&measure=HTTP_PAGELOAD_IS_SSL&min_channel_version=null&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2016-05-04&table=0&trim=1&use_submission_date=0 > > [2] > https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2016-06-06&keys=__none__!__none__!__none__&max_channel_version=nightly%252F49&measure=HTTP_AUTH_TYPE_STATS&min_channel_version=null&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2016-05-04&table=0&trim=1&use_submission_date=0 > > > -- > Adam Roach > Principal Platform Engineer > Office of the CTO > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > -- Jason _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
