[thelist] Windows WebDAV problem with authentication

Hassan Schroeder hassan.schroeder at gmail.com
Tue Aug 28 08:59:58 CDT 2007

On 8/27/07, Ken Schaefer <Ken at adopenstatic.com> wrote:
> What about using some alternate authentication mechanism? Digest
> or NTLM or Kerberos spring to mind (if SSL/TLS or IPSec can not be
> used to secure the channel)

Sorry, I'm confused -- I never said anything about SSL, and it certainly
*can* be used here.  I don't see how that relates to your point about this
registry setting applying to all possible servers.

Nor do I understand how this implied deficiency would be exploited.

> > ... why would you ask your users to deliberately make their machines
> > less secure than before?
> >
> > This setting does not apply to just your server. It means that anytime
> > the user is convinced to connect to a remote server that supports
> > WebDAV they may be prompted for their credentials, which would
> > potentially be sent in clear text
> 1. ? "..convinced to connect..." ? How would that work? We're talking
>    about "Network Places" deliberately created by the user here, not
>    something accessed through a browser from, say, a link in an email.
>    How is that exploitable?
> 2. Any random Web site can "prompt for credentials" to be sent in
>    clear text -- why is that less of a threat?

Hassan Schroeder ------------------------ hassan.schroeder at gmail.com

More information about the thelist mailing list