WingNews logo WingNews
top | item 38806578

(no title)

JonathanBeuys | 2 years ago

I would like to, but Firefox behaves problematic in regard to auth urls like

https://name:password@news.ycombinator.com

1: When you bookmark them, it shows the auth part when you hover the bookmark with the mouse.

2: When you open them from the command line

    firefox https://name:password@news.ycombinator.com
And then ctrl+click links on the site, it opens the new tab and shows the auth part in the tab title as long as the link loads. It seems the "current url" in Firefox code is stored with the auth part, and it passes that part on to local links.

These issues make it insecure to use auth urls because as soon as someone looks over your shoulder (or there is a camera like in many cafes), you are p0wned.

I wish we had a better way to log into a website from the command line, like ssh keys. But for now, we are stuck with what we have. And Firefox makes it insecure to use it. So for now, I continue to use Chromium.

discuss

order

nacs|2 years ago

You're literally putting the password in plain-text into the (unencrypted) browser bookmarks (and also into your terminal where it's likely logged to your ~/.bash_history).

That is the bigger security issue you have, not how Firefox is handling the display of the URL.

If anything, Firefox is highlighting your insecure security practice.

JonathanBeuys|2 years ago

I'm not typing them in my terminal. I have scripts that automate my workflow. And part of it is logging me into websites.

Regarding storing them in plain text: That's not much different from ssh keys. When someone can read your ssh key, they can log in as you.

If you know a better way to automatically log a user into a website, let us know!

kgwxd|2 years ago

I have a hard time believing you even do what you're claiming. The number of sites that support logging in that way is basically (pun intended) 0. In fact, firefox is the only browser that warned me that someone is probably trying to scam me with a url like that, the other browsers just dropped the auth part and went to the site without logging in.

pprotas|2 years ago

You save passwords in plain text (bookmarks) and then complain that people can read the plain text over your shoulder?

JonathanBeuys|2 years ago

Yes. The auth part should not be displayed when you hover over a bookmark. Chromium does not display it.

In the end, every security mechanism is "plain text". Even ssh keys. When someone gains access to your ssh key, which is just an ascii string, they can log in as you.