Hacker News new | ask | show | jobs
by JonathanBeuys 900 days ago
I would like to, but Firefox behaves problematic in regard to auth urls like

https://name:password@news.ycombinator.com

1: When you bookmark them, it shows the auth part when you hover the bookmark with the mouse.

2: When you open them from the command line

    firefox https://name:password@news.ycombinator.com
And then ctrl+click links on the site, it opens the new tab and shows the auth part in the tab title as long as the link loads. It seems the "current url" in Firefox code is stored with the auth part, and it passes that part on to local links.

These issues make it insecure to use auth urls because as soon as someone looks over your shoulder (or there is a camera like in many cafes), you are p0wned.

I wish we had a better way to log into a website from the command line, like ssh keys. But for now, we are stuck with what we have. And Firefox makes it insecure to use it. So for now, I continue to use Chromium.
3 comments
nacs 900 days ago
You're literally putting the password in plain-text into the (unencrypted) browser bookmarks (and also into your terminal where it's likely logged to your ~/.bash_history).

That is the bigger security issue you have, not how Firefox is handling the display of the URL.

If anything, Firefox is highlighting your insecure security practice.

link
JonathanBeuys 900 days ago
I'm not typing them in my terminal. I have scripts that automate my workflow. And part of it is logging me into websites.

Regarding storing them in plain text: That's not much different from ssh keys. When someone can read your ssh key, they can log in as you.

If you know a better way to automatically log a user into a website, let us know!

link
vehemenz 899 days ago
Every modern password manager has this capability built in.
link
kgwxd 899 days ago
I have a hard time believing you even do what you're claiming. The number of sites that support logging in that way is basically (pun intended) 0. In fact, firefox is the only browser that warned me that someone is probably trying to scam me with a url like that, the other browsers just dropped the auth part and went to the site without logging in.
link
pprotas 900 days ago
You save passwords in plain text (bookmarks) and then complain that people can read the plain text over your shoulder?
link
JonathanBeuys 900 days ago
Yes. The auth part should not be displayed when you hover over a bookmark. Chromium does not display it.

In the end, every security mechanism is "plain text". Even ssh keys. When someone gains access to your ssh key, which is just an ascii string, they can log in as you.

link
pprotas 899 days ago
My SSH keys are protected with a password, on top of that I have a biometric lock (MacBook fingerprint reader) on my SSH keys. So they would only grant access to someone that 1. has access to my computer, 2. knows the password (which only I know) and 3. has my finger. Definitely more than just plain text!

I strongly suggest looking into multi-factor authentication, or other modern authorization/security mechanisms if you want to see examples of security systems that are not just plain text.

> Chromium does not display it.

Security by obscurity is not ideal, although I can understand that the lack of this feature in Firefox hinders your usecase.

link
JonathanBeuys 899 days ago
Same here. You can't just access my auth data over the internet.

You would also have to get hold of my machine and get past it's security mechanisms.

You can put as many layers on top of what you call "obscurity". But at the bottom it's still just a simple string that holds the power to authenticate you.

And "multi-factor authentication" does not help with the situation "User is allowed to use this script, so they are also allowed to use that website. Let's open it for them.".

link