lynx-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lynx-dev ftp://user:address@hidden too much unencripted info


From: Leonid Pauzner
Subject: Re: lynx-dev ftp://user:address@hidden too much unencripted info
Date: Mon, 8 Nov 1999 22:03:31 +0300 (MSK)

8-Nov-99 10:24 Klaus Weide wrote:
> On Mon, 8 Nov 1999, Leonid Pauzner wrote:

>> I happen to visit non-anonymous ftp account with lynx.
>> When I start with ftp://user:address@hidden
>>                             ^^^^^^
>> I see that prefix with username and password unencripted
>> for all URLs shown from lynx: in Advanced mode statusline
>> while navigating across directories; in History/VisitedLinks/Info
>> pages... Although it is documented in "URL Schemes Supported in Lynx"
>> it would be nice to strip password from that kind of visual output
>> for privacy conserns.
>> ...
>>
>>    It is unwise to include the :password field except for URLs which
>>    point to anonymous or other public access accounts, and for most
>>    TCP-IP software you will be prompted for a password whether or not one
>>    was included in the URL.

> Using a password in a URL is so hopelessly bad that I wouldn't bother
> trying to hide it.  Don't give the impression that you can make it more
> invisible unless you really can make it disappear from *all* places
> that matter.  If you only strip it out in some obvious places, you
> are just misleading the user to *think* it is hidden.

I mean:

(1) exclude password from URL in mainloop (or HTParse stage?) and keep
it separately until the remote server responds with "enter a password",
than send a password *automatically* on request.

or better

(2) Change the samples in "URL Schemes Supported in Lynx" so they would
appear without //user:passw@  but  //user@ with the explanation of yet
another possibility added in words... So user will not get a wrong
impression if reading that document not so carefully (you know, samples
are so easy remembered without details). Anyway, non-interactive users
could set password via command line flag.


>    Klaus





reply via email to

[Prev in Thread] Current Thread [Next in Thread]