[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev ftp://user:address@hidden too much unencripted info
From: |
Leonid Pauzner |
Subject: |
Re: lynx-dev ftp://user:address@hidden too much unencripted info |
Date: |
Mon, 8 Nov 1999 22:03:31 +0300 (MSK) |
8-Nov-99 10:24 Klaus Weide wrote:
> On Mon, 8 Nov 1999, Leonid Pauzner wrote:
>> I happen to visit non-anonymous ftp account with lynx.
>> When I start with ftp://user:address@hidden
>> ^^^^^^
>> I see that prefix with username and password unencripted
>> for all URLs shown from lynx: in Advanced mode statusline
>> while navigating across directories; in History/VisitedLinks/Info
>> pages... Although it is documented in "URL Schemes Supported in Lynx"
>> it would be nice to strip password from that kind of visual output
>> for privacy conserns.
>> ...
>>
>> It is unwise to include the :password field except for URLs which
>> point to anonymous or other public access accounts, and for most
>> TCP-IP software you will be prompted for a password whether or not one
>> was included in the URL.
> Using a password in a URL is so hopelessly bad that I wouldn't bother
> trying to hide it. Don't give the impression that you can make it more
> invisible unless you really can make it disappear from *all* places
> that matter. If you only strip it out in some obvious places, you
> are just misleading the user to *think* it is hidden.
I mean:
(1) exclude password from URL in mainloop (or HTParse stage?) and keep
it separately until the remote server responds with "enter a password",
than send a password *automatically* on request.
or better
(2) Change the samples in "URL Schemes Supported in Lynx" so they would
appear without //user:passw@ but //user@ with the explanation of yet
another possibility added in words... So user will not get a wrong
impression if reading that document not so carefully (you know, samples
are so easy remembered without details). Anyway, non-interactive users
could set password via command line flag.
> Klaus
- lynx-dev ftp://user:address@hidden too much unencripted info, Leonid Pauzner, 1999/11/08
- Re: lynx-dev ftp://user:address@hidden too much unencripted info, Klaus Weide, 1999/11/08
- Re: lynx-dev ftp://user:address@hidden too much unencripted info,
Leonid Pauzner <=
- Re: lynx-dev ftp://user:address@hidden too much unencripted info, Klaus Weide, 1999/11/08
- Re: lynx-dev ftp://user:address@hidden too much unencripted info, Leonid Pauzner, 1999/11/08
- patch (was: Re: lynx-dev ftp://user:address@hidden too much unencripted info), Leonid Pauzner, 1999/11/15
- Re: patch (was: Re: lynx-dev ftp://user:address@hidden too much unencripted info), Klaus Weide, 1999/11/17
lynx-dev Suggestion for merging the libcurses and libslang code, vtailor, 1999/11/08