[Owncloud] Webdav Basic Authentication

Matthias suleimann at gmx.at
Thu Sep 12 10:25:08 UTC 2013 

Dear Daniel,

thank you for your answer. I forgot the fact that the network is already 
encrypted by SSL. Let's say, the question was a little senseless ;)

Matthias




======= Original message from =======
 > From: Daniel Molkentin <danimo at owncloud.com>
 > To : owncloud at kde.org
 > Sent: 12.09.2013 10:44:59


> Dear Matthias,
>
> Am 12.09.2013 um 10:24 schrieb Matthias:
>
>> Dear Group,
>>
>> I am not a webdav expert but I read on a microsoft website, that 
>> microsoft disabled Basic Authentication for windows due to security 
>> reasons of the Basic Authentication standard. I also read "The most 
>> serious flaw in Basic authentication is that it results in the 
>> essentially cleartext transmission of the user's password over the 
>> physical network." on this website:
>> http://www.webdav.org/specs/rfc2617.html#rfc.section.4.1
>>
>> If I get this right, it is not a good idea that owncloud only uses 
>> this type of Authentication standard?
>
> If you are running ownCloud, you will most certainly want to run it 
> SSL encrypted, at least outside your private LAN. Everything is 
> encrypted, including passwords, so you are good.
>
> Let's look at the alternatives:
>
> - digest: requires to either save the password in clear text, or store 
> it hashed in the exact format that digest expects. This does not work 
> with a lot of auth backends that store the password hashed, but in 
> their own format (like, hopefully, any).
> - NTLM: suffers from compatibility problems
> - Certificate based auth: too complicated for default usage, no 
> (trivial) login from 3rd party computers
> - Negotiate: Windows only in practise, often negotiates NTLM (see 
> above), GSSAPI proposal for negotiate seems to be an expired IETF draft
>
> Also: ownCloud holds (potentially private) data which should be just 
> as well protected as your password.
>
> So use HTTPS (even a self-signed cert is fine), then basic auth is not 
> an issue).
>
> That is not to say we are not looking into certs, oauth, etc (and we 
> already have premilary support for shibboleth, which usually only 
> works for edus) but there is no silver bullet. Try to find who (apart 
> from SIP, which uses a slightly modified version of Digest) actually 
> uses Digest auth today. Noone really. And it's not because they're all 
> lazy slackers, but because there is actually no good standard that 
> works with hashed passwords on the server side and does not wire the 
> password plain text and works everywhere and is easy to use. Should I 
> be missing something, please speak up. Also, if you feel like you want 
> to contribute in this sector, we're more than happy for any help we 
> can get.
>
> Cheers,
>  Daniel
>
> --
> www.owncloud.com <http://www.owncloud.com> - Your Data, Your Cloud, 
> Your Way!
>
> ownCloud GmbH, GF: Markus Rex, Holger Dyroff
> Schloßäckerstrasse 26a, 90443 Nürnberg, HRB 28050 (AG Nürnberg)
>
>
>
> _______________________________________________
> Owncloud mailing list
> Owncloud at kde.org
> https://mail.kde.org/mailman/listinfo/owncloud

More information about the Owncloud mailing list