[thelist] Vehicle Rental Application
Chris Dempsey
evolt at cubeit.co.uk
Tue Aug 28 06:34:01 CDT 2007
Anyone know of a pre-built solution for a Vehicle Rental company? Needs to
show availability, allow users to book online etc. ASP based would be great
but could probably work with PHP. I found a couple of options listed but
they don't appear to be too hot. Anyone using or seen something that may do
the job?
Thanks,
Chris.
-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Ken Schaefer
Sent: 28 August 2007 07:30
To: thelist at lists.evolt.org
Subject: Re: [thelist] Windows WebDAV problem with authentication
What about using some alternate authentication mechanism? Digest or NTLM or
Kerberos spring to mind (if SSL/TLS or IPSec can not be used to secure the
channel)
Cheers
Ken
-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Hassan Schroeder
Sent: Wednesday, 22 August 2007 12:13 AM
To: thelist at lists.evolt.org
Subject: Re: [thelist] Windows WebDAV problem with authentication
On 8/20/07, Ken Schaefer <Ken at adopenstatic.com> wrote:
> Question - why are you using Basic Authentication over plain HTTP?
As step two in evaluating whether WebDAV is a viable option for the
client? Which, given that it requires mucking with the registry, is not
at this point certain...
> ... why would you ask your users to deliberately make their machines
> less secure than before?
>
> This setting does not apply to just your server. It means that anytime
> the user is convinced to connect to a remote server that supports
> WebDAV they may be prompted for their credentials, which would
> potentially be sent in clear text
1. ? "..convinced to connect..." ? How would that work? We're talking
about "Network Places" deliberately created by the user here, not
something accessed through a browser from, say, a link in an email.
How is that exploitable?
2. Any random Web site can "prompt for credentials" to be sent in
clear text -- why is that less of a threat?
But OK, for the sake of argument -- if you think that UseBasicAuth is
inherently insecure -- what's the alternative?
--
Hassan Schroeder ------------------------ hassan.schroeder at gmail.com
--
--
* * Please support the community that supports you. * *
http://evolt.org/help_support_evolt/
For unsubscribe and other options, including the Tip Harvester
and archives of thelist go to: http://lists.evolt.org
Workers of the Web, evolt !
More information about the thelist
mailing list