And then ctrl+click links on the site, it opens the new tab and shows the auth part in the tab title as long as the link loads. It seems the "current url" in Firefox code is stored with the auth part, and it passes that part on to local links.
These issues make it insecure to use auth urls because as soon as someone looks over your shoulder (or there is a camera like in many cafes), you are p0wned.
I wish we had a better way to log into a website from the command line, like ssh keys. But for now, we are stuck with what we have. And Firefox makes it insecure to use it. So for now, I continue to use Chromium.
You're literally putting the password in plain-text into the (unencrypted) browser bookmarks (and also into your terminal where it's likely logged to your ~/.bash_history).
That is the bigger security issue you have, not how Firefox is handling the display of the URL.
If anything, Firefox is highlighting your insecure security practice.
I have a hard time believing you even do what you're claiming. The number of sites that support logging in that way is basically (pun intended) 0. In fact, firefox is the only browser that warned me that someone is probably trying to scam me with a url like that, the other browsers just dropped the auth part and went to the site without logging in.
Yes. The auth part should not be displayed when you hover over a bookmark. Chromium does not display it.
In the end, every security mechanism is "plain text". Even ssh keys. When someone gains access to your ssh key, which is just an ascii string, they can log in as you.
My SSH keys are protected with a password, on top of that I have a biometric lock (MacBook fingerprint reader) on my SSH keys. So they would only grant access to someone that 1. has access to my computer, 2. knows the password (which only I know) and 3. has my finger. Definitely more than just plain text!
I strongly suggest looking into multi-factor authentication, or other modern authorization/security mechanisms if you want to see examples of security systems that are not just plain text.
> Chromium does not display it.
Security by obscurity is not ideal, although I can understand that the lack of this feature in Firefox hinders your usecase.
Same here. You can't just access my auth data over the internet.
You would also have to get hold of my machine and get past it's security mechanisms.
You can put as many layers on top of what you call "obscurity". But at the bottom it's still just a simple string that holds the power to authenticate you.
And "multi-factor authentication" does not help with the situation "User is allowed to use this script, so they are also allowed to use that website. Let's open it for them.".
https://name:password@news.ycombinator.com
1: When you bookmark them, it shows the auth part when you hover the bookmark with the mouse.
2: When you open them from the command line
And then ctrl+click links on the site, it opens the new tab and shows the auth part in the tab title as long as the link loads. It seems the "current url" in Firefox code is stored with the auth part, and it passes that part on to local links.These issues make it insecure to use auth urls because as soon as someone looks over your shoulder (or there is a camera like in many cafes), you are p0wned.
I wish we had a better way to log into a website from the command line, like ssh keys. But for now, we are stuck with what we have. And Firefox makes it insecure to use it. So for now, I continue to use Chromium.