Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

what? O.o I use this in Keepass to store quick-login links for some that still require http basic auth (though, haven't tested these for a while). Do you have any link on the deprecation?


https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentica...


> In Firefox, it is checked if the site actually requires authentication and if not, Firefox will warn the user with a prompt "You are about to log in to the site “www.example.com” with the username “username”, but the website does not require authentication. This may be an attempt to trick you.".

Huh, that's just security theater. The phisher could set up a website that does require authentication, thereby avoiding the warning.

The sensible thing to do would be to display the warning if the username contains unescaped dots. (I.e., http://cnn.com:article123456@fakenews.example.com/ would provoke warnings, but http://cnn%2Ecom:article123456@fakenews.example.com/ would not.)


Thinking about this, I think you're right that this is perhaps less useful than billed. If anything though, I'd rather have both warnings.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: