[Owncloud] Basic vs Digest Authentication

Evert Pot evert at rooftopsolutions.nl
Sun Jun 9 20:40:45 UTC 2013


Basically, HTTP Basic auth should under no circumstances be used with servers with no SSL (https).

On Jun 9, 2013, at 9:22 PM, Marc Leuser <marc.leuser at gmail.com> wrote:

> Hello people,
> 
> I'm fairly new to ownCloud and I've spent my Sunday testing and trying to make it fit my needs. I've basically set it up to work the way I need it to work. I can use WebDAV and the OC Sync client via https.
> 
> However there is one thing that confuses me. Why is OC using basic authentication when it's considered insecure? From what I've read it's basically possible to use Wireshark (as an example) to catch the packets and then just decode the username and corresponding password. Isn't that a huge security leak? I've been Browsing the SaberDAV manual for a minute or two and read that it is even using digest by default. So why is it that ownCloud doesn't use digest? It made me sceptical that I had to allow unencrypted basic auth in Windows in order to use the native WebDAV client.
> 
> I might be a little confused here, I surely am not an expert with experience in state of the art software, but I'm not a total newb to networking and security either (I suppose?)
> 
> I hope someone can enlighten me a bit, perhaps send me a link where I can take some time and read about it?
> 
> Regards
> _______________________________________________
> Owncloud mailing list
> Owncloud at kde.org
> https://mail.kde.org/mailman/listinfo/owncloud




More information about the Owncloud mailing list