[Owncloud] Webdav Basic Authentication

Daniel Molkentin danimo at owncloud.com
Thu Sep 12 08:44:59 UTC 2013

Dear Matthias,

Am 12.09.2013 um 10:24 schrieb Matthias:

> Dear Group,
> I am not a webdav expert but I read on a microsoft website, that microsoft disabled Basic Authentication for windows due to security reasons of the Basic Authentication standard. I also read "The most serious flaw in Basic authentication is that it results in the essentially cleartext transmission of the user's password over the physical network." on this website:
> http://www.webdav.org/specs/rfc2617.html#rfc.section.4.1
> If I get this right, it is not a good idea that owncloud only uses this type of Authentication standard?

If you are running ownCloud, you will most certainly want to run it SSL encrypted, at least outside your private LAN. Everything is encrypted, including passwords, so you are good.

Let's look at the alternatives:

- digest: requires to either save the password in clear text, or store it hashed in the exact format that digest expects. This does not work with a lot of auth backends that store the password hashed, but in their own format (like, hopefully, any).
- NTLM: suffers from compatibility problems
- Certificate based auth: too complicated for default usage, no (trivial) login from 3rd party computers
- Negotiate: Windows only in practise, often negotiates NTLM (see above), GSSAPI proposal for negotiate seems to be an expired IETF draft

Also: ownCloud holds (potentially private) data which should be just as well protected as your password.

So use HTTPS (even a self-signed cert is fine), then basic auth is not an issue).

That is not to say we are not looking into certs, oauth, etc (and we already have premilary support for shibboleth, which usually only works for edus) but there is no silver bullet. Try to find who (apart from SIP, which uses a slightly modified version of Digest) actually uses Digest auth today. Noone really. And it's not because they're all lazy slackers, but because there is actually no good standard that works with hashed passwords on the server side and does not wire the password plain text and works everywhere and is easy to use. Should I be missing something, please speak up. Also, if you feel like you want to contribute in this sector, we're more than happy for any help we can get.


www.owncloud.com - Your Data, Your Cloud, Your Way!

ownCloud GmbH, GF: Markus Rex, Holger Dyroff
Schloßäckerstrasse 26a, 90443 Nürnberg, HRB 28050 (AG Nürnberg)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/owncloud/attachments/20130912/c2d6d2a5/attachment.html>

More information about the Owncloud mailing list