Re: Authentication prompt for mbox downloads

On 3/26/20 9:51 AM, Magnus Hagander wrote:
> On Thu, Mar 26, 2020 at 2:33 PM Jonathan S. Katz <jkatz@postgresql.org> wrote:
>>
>> On 3/26/20 9:23 AM, Magnus Hagander wrote:
>>> On Thu, Mar 26, 2020 at 2:14 PM Jonathan S. Katz <jkatz@postgresql.org> wrote:
>>>>
>>>> On 3/26/20 8:53 AM, Dave Page wrote:
>>>>> Some, maybe all of the major browsers no longer display the security
>>>>> realm on login prompts, which was previously used to inform the user of
>>>>> the anti-spam username and password used to protect the mailbox
>>>>> archives.
>>>>
>>>> I think it's mainly broken in Chrome, though I just checked and this now
>>>> extends to Safari. It works fine in Firefox.
>>>>
>>>>> This means that the only way to get it now is either to go
>>>>> find it in the source code for the website, or look at the response
>>>>> headers in the browsers developer tools.
>>>>>
>>>>> The attached patch adds a note to the page instead.
>>>>
>>>> Syntax-wise please switch the "<i>" to "<em>". Should we go down this
>>>> patch, we'd also want to place that message on any page where one can
>>>> download an archive.
>>>>
>>>> I do wonder if by placing the text on the site like that, we make it a
>>>> bit easier to defeat the original purpose of the prompt. Some other ideas:
>>>>
>>>> 1. We have a JavaScript snippet that executes when the page loads to
>>>> render the text in place. Not fool proof, but it's around the same level
>>>> as the current solution (though this would likely expose the credentials
>>>> in the JavaScript source).
>>>>
>>>> 2. We render the username/password using images. Similarly, not
>>>> foolproof, but requires a nontrivial effort.
>>>
>>> I don't think either of those make any actual difference. We already
>>> give the instructions in the actual prompt sent back, which is the
>>> very first things that scripts will see.
>>
>> Yes...that's what I said (perhaps not clearly) in the part of my
>> response you cut out.
>>
>>> If we want to defeat those
>>> things, we need to go to something like a captcha for example. Which
>>> will add a fair amount of friction for those that *do* know it
>>> already.
>>
>> I'm not suggesting we disable the Basic Auth mechanism. I'm just making
>> suggestions around displaying the credentials.
>>
>> If someone needs to look up the credentials, the captcha is not a bad idea.
>>
>>> Probably the majority of people who are downloading these have done so
>>> at least once before, and thus do *not* need the instructions.
>>
>> I don't know how frequently people use this feature (perhaps you have
>> the stats?). Whenever I do, I know I have to look up the instructions
>> every time because I don't remember the credentials, which leads to the
>> poor user experience that Dave describes.
>
> We seem to average 2 downloads of mbox files per day.
>
> And about 1300 hits to the mbox urls that return the 401 code to
> require authorization.
>
> It's hard to directly compare to "actual accesses to messages",
> because those are very heavily cached. But we're looking at
> approximately 75,000 cache *misses* on emails every day. So I would
> expect at least a few million downloads (for "recent messages" the
> cache rate is something in excess of 90%, but a fair number of the
> other hits might be a bot that's picking up old ones).
>
> Bottom line is, the number of people downloading the mboxes are *very*
> few in comparison.

*nods* thanks for confirming!

>>> We
>>> should try to avoid making it worse for them. And in particular, 99%
>>> of the visitors to our archives are not interested in mboxes at all,
>>
>> I would not dispute that the number of people downloading the mboxes is
>> way smaller than the other usage of the archives, but it would be good
>> to know the actual proportions. GA does not provide the mbox stats.
>>
>>> and we should *definitely* try to avoid making it worse for them.
>>
>> I don't see how any of the above, including Dave's patch, make things
>> worse. Again I was just suggesting on how to display the credentials,
>> not adding more steps to downloading the mbox.
>
> Well, Daves patch doesn't cover 2 out of 3 cases, that's a start :)
>
> And it makes it worse in that it goes in the very most "valuable
> space" on the screen, for something that's focused on a tiny portion
> of our users.
>
> I'm certainly not against making the information better, I'm just not
> sure that's the best way.

We could move it to the bottom of the pages. Or add it to this page[1]
and call it a day.

Jonathan

[1] https://www.postgresql.org/list/