Re: Authentication prompt for mbox downloads

On Thu, Mar 26, 2020 at 1:23 PM Magnus Hagander <magnus(at)hagander(dot)net> wrote:

> On Thu, Mar 26, 2020 at 2:14 PM Jonathan S. Katz <jkatz(at)postgresql(dot)org>
> wrote:
> >
> > On 3/26/20 8:53 AM, Dave Page wrote:
> > > Some, maybe all of the major browsers no longer display the security
> > > realm on login prompts, which was previously used to inform the user of
> > > the anti-spam username and password used to protect the mailbox
> > > archives.
> >
> > I think it's mainly broken in Chrome, though I just checked and this now
> > extends to Safari. It works fine in Firefox.
> >
> > > This means that the only way to get it now is either to go
> > > find it in the source code for the website, or look at the response
> > > headers in the browsers developer tools.
> > >
> > > The attached patch adds a note to the page instead.
> >
> > Syntax-wise please switch the "<i>" to "<em>". Should we go down this
> > patch, we'd also want to place that message on any page where one can
> > download an archive.
> >
> > I do wonder if by placing the text on the site like that, we make it a
> > bit easier to defeat the original purpose of the prompt. Some other
> ideas:
> >
> > 1. We have a JavaScript snippet that executes when the page loads to
> > render the text in place. Not fool proof, but it's around the same level
> > as the current solution (though this would likely expose the credentials
> > in the JavaScript source).
> >
> > 2. We render the username/password using images. Similarly, not
> > foolproof, but requires a nontrivial effort.
>
> I don't think either of those make any actual difference. We already
> give the instructions in the actual prompt sent back, which is the
> very first things that scripts will see. If we want to defeat those
> things, we need to go to something like a captcha for example. Which
> will add a fair amount of friction for those that *do* know it
> already.
>
> Probably the majority of people who are downloading these have done so
> at least once before, and thus do *not* need the instructions. We
> should try to avoid making it worse for them. And in particular, 99%
> of the visitors to our archives are not interested in mboxes at all,
> and we should *definitely* try to avoid making it worse for them.
>

Not sure I agree with that entirely. This came up because a colleague was
trying to access them and (naturally) getting frustrated when his community
account credentials didn't work. He reached out to me, and I, as someone
who has downloaded mboxes numerous times before, albeit not overly
regularly, had to break out the dev tools in Chrome remind myself of the
credentials.

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company