[thelist] Windows WebDAV problem with authentication
hassan.schroeder at gmail.com
Tue Aug 28 08:59:58 CDT 2007
On 8/27/07, Ken Schaefer <Ken at adopenstatic.com> wrote:
> What about using some alternate authentication mechanism? Digest
> or NTLM or Kerberos spring to mind (if SSL/TLS or IPSec can not be
> used to secure the channel)
Sorry, I'm confused -- I never said anything about SSL, and it certainly
*can* be used here. I don't see how that relates to your point about this
registry setting applying to all possible servers.
Nor do I understand how this implied deficiency would be exploited.
> > ... why would you ask your users to deliberately make their machines
> > less secure than before?
> > This setting does not apply to just your server. It means that anytime
> > the user is convinced to connect to a remote server that supports
> > WebDAV they may be prompted for their credentials, which would
> > potentially be sent in clear text
> 1. ? "..convinced to connect..." ? How would that work? We're talking
> about "Network Places" deliberately created by the user here, not
> something accessed through a browser from, say, a link in an email.
> How is that exploitable?
> 2. Any random Web site can "prompt for credentials" to be sent in
> clear text -- why is that less of a threat?
Hassan Schroeder ------------------------ hassan.schroeder at gmail.com
More information about the thelist