[Owncloud] Basic vs Digest Authentication

André Schild a.schild at aarboard.ch
Mon Jun 10 07:04:33 UTC 2013


Hello Marc,

Am 09.06.2013 22:22, schrieb Marc Leuser:
> Hello people,
>
> I'm fairly new to ownCloud and I've spent my Sunday testing and trying 
> to make it fit my needs. I've basically set it up to work the way I 
> need it to work. I can use WebDAV and the OC Sync client via https.
>
> However there is one thing that confuses me. Why is OC using basic 
> authentication when it's considered insecure? From what I've read it's 
> basically possible to use Wireshark (as an example) to catch the 
> packets and then just decode the username and corresponding password. 
> Isn't that a huge security leak? I've been Browsing the SaberDAV 
> manual for a minute or two and read that it is even using digest by 
> default. So why is it that ownCloud doesn't use digest? It made me 
> sceptical that I had to allow unencrypted basic auth in Windows in 
> order to use the native WebDAV client.

Basic auth via HTTP is not secure
Digest auth via HTTP is only partly secure

Digest auth via HTTPS is secure
Basic auth via HTTPS is secure

The reason OC needs to receive the real password (and not only a hash of 
it) is,
that depending on the authentication backend, we need to have the clear 
text password
to match against the server side password.

For example when you use LDAP/ADS as your user source, OC needs to login
to the LDAP server with the real user password.
I can't login on a LDAP server with a hash of the realm+username+password

This is the reason the basic auth is required.

You should anlways secure all webdav traffic with https,
otherwise everyone in between has access to all files sent/received

André




More information about the Owncloud mailing list