Re: Cleartext Password display in NS Communicator

[oskar () is co za (Oskar Pearson)]

Fred Albrecht wrote:

> > > The password is now plainly visible in the URL field :
> > >     « ftp://user:passwd@host »

> > Appendix to my previous message:
> > It happens only when connecting over proxy Squid (1.1.10) and it appears
> > also in Squid's access.log.

> After trying a number of combinations, it seems that it indeed only works
> when going through the proxy... Squid 1.1.11 here.
Squid 1.NOVM.10 here

> At any rate, Netscape shouldn't display the password and squid shouldn't
> log what it can clearly identify as « sensitive » information.
Agreed - this is, however, a _setup_ problem with the squid proxy.

You have to change squid.conf so that ftpget_options includes either
the "-a" or "-A" flag (I prefer "-a")
It might be worth putting this in the documentation
or the config file's comments... I will contact people about this.

Our config file contains:
ftpget_options -a -p http://www.is.co.za/tisservices/proxy/ -s .gif -w 25

for the list of possible options run '/usr/local/squid/bin/ftpget -h'

These are the relevant options:
        -a              Do not show password in generated URLs
        -A              Do not show login information in generated URLs

        Oskar