[thelist] Windows WebDAV problem with authentication

Hassan Schroeder hassan.schroeder at gmail.com
Tue Aug 21 09:13:04 CDT 2007


On 8/20/07, Ken Schaefer <Ken at adopenstatic.com> wrote:
> Question - why are you using Basic Authentication over plain HTTP?

As step two in evaluating whether WebDAV is a viable option for the
client? Which, given that it requires mucking with the registry, is not
at this point certain...

> ... why would you ask your users to deliberately make their machines
> less secure than before?
>
> This setting does not apply to just your server. It means that anytime
> the user is convinced to connect to a remote server that supports
> WebDAV they may be prompted for their credentials, which would
> potentially be sent in clear text

1. ? "..convinced to connect..." ? How would that work? We're talking
   about "Network Places" deliberately created by the user here, not
   something accessed through a browser from, say, a link in an email.

   How is that exploitable?

2. Any random Web site can "prompt for credentials" to be sent in
   clear text -- why is that less of a threat?

But OK, for the sake of argument -- if you think that UseBasicAuth is
inherently insecure -- what's the alternative?

-- 
Hassan Schroeder ------------------------ hassan.schroeder at gmail.com



More information about the thelist mailing list