Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecation of too much userinfo (was: RFC7230 Errata 5964) #278

Closed
vanrein opened this issue Jan 24, 2020 · 1 comment
Closed

Deprecation of too much userinfo (was: RFC7230 Errata 5964) #278

vanrein opened this issue Jan 24, 2020 · 1 comment
Assignees
@reschke
Labels
erratum semantics

Comments

@vanrein
Copy link

vanrein commented Jan 24, 2020
edited

The current semantics draft states

2.5.4. Deprecated userinfo

The URI generic syntax for authority also includes a deprecated userinfo subcomponent ([RFC3986], Section 3.2.1) for including user authentication information in the URI. Some implementations make use of the userinfo component for internal configuration of authentication information, such as within command invocation options, configuration files, or bookmark lists, even though such usage might expose a user identifier or password. A sender must not generate the userinfo subcomponent (and its "@" delimiter) when an "http" URI reference is generated within a message as a request target or header field value. Before making use of an "http" URI reference received from an untrusted source, a recipient should parse for userinfo and treat its presence as an error; it is likely being used to obscure the authority for the sake of phishing attacks.

Notes:

RFC3986 does not forbid or even discourage the "user" in the userinfo subcomponent. It only says

    Use of the format "user:password" in the userinfo field is
    deprecated.

and continues to describe the intricacies of ":password" handling.

The user is part of the authority section of the URI and its purpose is to zoom in on a scope for authoritative resource addressing. This syntax has in the past been (ab)used for Basic/Digest authentication details, which only works if visitor and visited resource happen to be the same user; it is this (ab)use that is now deprecated.

I have written an I-D about the http://user@ form that places it in a User: user header with the intention of adding user names in much the same manner as host names, as a selector for a naming scope of resources.

I believe that obscuring the authority for the purposes of phishing is not really mitigated by parsing the userinfo; subdomains in DNS offer similar notational flexibility. Parsing does help against misleading password popups, but these are probably easier to remedy when credential inquiries are only made in response to WWW-Authenticate and Proxy-Authenticate headers.
vanrein added a commit to arpa2/http-core that referenced this issue Jan 24, 2020
@vanrein
Issue httpwg#278, Deprecation of too much userinfo
a64a354 
Keep user name, specifically drop "user:password"
(I have also removed some explanatory notes do not seem helpful anymore.)
@mnot
Copy link
Member

mnot commented Feb 2, 2020

Discussed in Basel. Correcting the reasoning of why it was deprecated can be addressed editorially. Changing what was deprecated needs to be a much larger discussion and pull in the security community.

@csarven csarven mentioned this issue Feb 2, 2020
Closed
reschke added a commit that referenced this issue Feb 2, 2020
@reschke
Be more correct about what was deprecated by RFC 3986 (and also talk …
05b0b43 
…about https URIs) (#278)
reschke added a commit that referenced this issue Feb 2, 2020
@reschke
Merge pull request #281 from httpwg/reschke-278
3b78e74 
Be more correct about what was deprecated by RFC 3986 (and also talk about https URIs) (#278)
@reschke reschke closed this as completed Feb 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@reschke reschke

Labels
erratum semantics
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mnot @reschke @vanrein