Re: Authentication prompt for mbox downloads

On Thu, Mar 26, 2020 at 2:33 PM Jonathan S. Katz <jkatz@postgresql.org> wrote:
>
> On 3/26/20 9:23 AM, Magnus Hagander wrote:
> > On Thu, Mar 26, 2020 at 2:14 PM Jonathan S. Katz <jkatz@postgresql.org> wrote:
> >>
> >> On 3/26/20 8:53 AM, Dave Page wrote:
> >>> Some, maybe all of the major browsers no longer display the security
> >>> realm on login prompts, which was previously used to inform the user of
> >>> the anti-spam username and password used to protect the mailbox
> >>> archives.
> >>
> >> I think it's mainly broken in Chrome, though I just checked and this now
> >> extends to Safari. It works fine in Firefox.
> >>
> >>> This means that the only way to get it now is either to go
> >>> find it in the source code for the website, or look at the response
> >>> headers in the browsers developer tools.
> >>>
> >>> The attached patch adds a note to the page instead.
> >>
> >> Syntax-wise please switch the "<i>" to "<em>". Should we go down this
> >> patch, we'd also want to place that message on any page where one can
> >> download an archive.
> >>
> >> I do wonder if by placing the text on the site like that, we make it a
> >> bit easier to defeat the original purpose of the prompt. Some other ideas:
> >>
> >> 1. We have a JavaScript snippet that executes when the page loads to
> >> render the text in place. Not fool proof, but it's around the same level
> >> as the current solution (though this would likely expose the credentials
> >> in the JavaScript source).
> >>
> >> 2. We render the username/password using images. Similarly, not
> >> foolproof, but requires a nontrivial effort.
> >
> > I don't think either of those make any actual difference. We already
> > give the instructions in the actual prompt sent back, which is the
> > very first things that scripts will see.
>
> Yes...that's what I said (perhaps not clearly) in the part of my
> response you cut out.
>
> > If we want to defeat those
> > things, we need to go to something like a captcha for example. Which
> > will add a fair amount of friction for those that *do* know it
> > already.
>
> I'm not suggesting we disable the Basic Auth mechanism. I'm just making
> suggestions around displaying the credentials.
>
> If someone needs to look up the credentials, the captcha is not a bad idea.
>
> > Probably the majority of people who are downloading these have done so
> > at least once before, and thus do *not* need the instructions.
>
> I don't know how frequently people use this feature (perhaps you have
> the stats?). Whenever I do, I know I have to look up the instructions
> every time because I don't remember the credentials, which leads to the
> poor user experience that Dave describes.

We seem to average 2 downloads of mbox files per day.

And about 1300 hits to the mbox urls that return the 401 code to
require authorization.

It's hard to directly compare to "actual accesses to messages",
because those are very heavily cached. But we're looking at
approximately 75,000 cache *misses* on emails every day. So I would
expect at least a few million downloads (for "recent messages" the
cache rate is something in excess of 90%, but a fair number of the
other hits might be a bot that's picking up old ones).

Bottom line is, the number of people downloading the mboxes are *very*
few in comparison.


> > We
> > should try to avoid making it worse for them. And in particular, 99%
> > of the visitors to our archives are not interested in mboxes at all,
>
> I would not dispute that the number of people downloading the mboxes is
> way smaller than the other usage of the archives, but it would be good
> to know the actual proportions. GA does not provide the mbox stats.
>
> > and we should *definitely* try to avoid making it worse for them.
>
> I don't see how any of the above, including Dave's patch, make things
> worse. Again I was just suggesting on how to display the credentials,
> not adding more steps to downloading the mbox.

Well, Daves patch doesn't cover 2 out of 3 cases, that's a start :)

And it makes it worse in that it goes in the very most "valuable
space" on the screen, for something that's focused on a tiny portion
of our users.

I'm certainly not against making the information better, I'm just not
sure that's the best way.

-- 
 Magnus Hagander
 Me: https://www.hagander.net/
 Work: https://www.redpill-linpro.com/