[Cryptography] Basic auth a bit too basic
John Gilmore
gnu at toad.com
Sat Feb 6 22:58:39 EST 2016
>> It would be technically straightforward for browsers to have a logout
>> button that forgets the auth credentials for the current page, or to
>> invent an HTML meta tag that tells browsers to forget auth credentials
>> for the current page's domain (give or take the same cross-domain
>> issues with cookies.) The fact that nobody's done either suggests
>> that it's not a big problem in practice.
Well, the fact that Firefox hasn't done it means that the job has been
outsourced to the a popular extension. Cookie Monster has a menu item
for it (pop-up menu -> View Cookies -> Delete Cookies for
example.com). It also lets you delete cookies more generally, as well
as providing easy ways to set recurring policies like "For sites I
haven't otherwise mentioned, never accept cookies", "Never accept
cookies for the site I'm currently viewing", "Always turn all cookies
into session cookies for this site", or "Accept cookies temporarily
from this site, then after this session, go back to not accepting
them."
[Are there are any "auth credentials" other than cookies that are used
by more than a tiny fraction of web sites?]
In general, Firefox maintainers seem to take the attitude that it's OK
if Google, Facebook, and NSA can track you everywhere you go on the
web. Fixing that seems much less important to them than making sure
that every website everywhere always works the way the third-party
designers intended -- even when the designers were malevolent (or
merely ignorant and manipulated by one of the big tracking companies).
Extensions that plug into Firefox, like NoScript, Cookie Monster,
Privacy Badger, Request Policy, RefControl, etc, are willing to break
some web sites in return for giving the *end user* control over who is
tracking them.
Merely getting rid of your browser's Referer headers by default will
eliminate a large amount of tracking, while breaking only a tiny
number of sites (that require Referer to defend against cross-site
scripting, a foolish idea since Referer lines are easy to spoof). Try
adding RefControl to your browser and setting the default to "Block".
John
More information about the cryptography
mailing list