Dear Daniel,
thank you for your answer. I forgot the fact that the network is already
encrypted by SSL. Let's say, the question was a little senseless ;)
Matthias
======= Original message from =======
> From: Daniel Molkentin <[email protected]>
> To : [email protected]
> Sent: 12.09.2013 10:44:59
Dear Matthias,
Am 12.09.2013 um 10:24 schrieb Matthias:
Dear Group,
I am not a webdav expert but I read on a microsoft website, that
microsoft disabled Basic Authentication for windows due to security
reasons of the Basic Authentication standard. I also read "The most
serious flaw in Basic authentication is that it results in the
essentially cleartext transmission of the user's password over the
physical network." on this website:
http://www.webdav.org/specs/rfc2617.html#rfc.section.4.1
If I get this right, it is not a good idea that owncloud only uses
this type of Authentication standard?
If you are running ownCloud, you will most certainly want to run it
SSL encrypted, at least outside your private LAN. Everything is
encrypted, including passwords, so you are good.
Let's look at the alternatives:
- digest: requires to either save the password in clear text, or store
it hashed in the exact format that digest expects. This does not work
with a lot of auth backends that store the password hashed, but in
their own format (like, hopefully, any).
- NTLM: suffers from compatibility problems
- Certificate based auth: too complicated for default usage, no
(trivial) login from 3rd party computers
- Negotiate: Windows only in practise, often negotiates NTLM (see
above), GSSAPI proposal for negotiate seems to be an expired IETF draft
Also: ownCloud holds (potentially private) data which should be just
as well protected as your password.
So use HTTPS (even a self-signed cert is fine), then basic auth is not
an issue).
That is not to say we are not looking into certs, oauth, etc (and we
already have premilary support for shibboleth, which usually only
works for edus) but there is no silver bullet. Try to find who (apart
from SIP, which uses a slightly modified version of Digest) actually
uses Digest auth today. Noone really. And it's not because they're all
lazy slackers, but because there is actually no good standard that
works with hashed passwords on the server side and does not wire the
password plain text and works everywhere and is easy to use. Should I
be missing something, please speak up. Also, if you feel like you want
to contribute in this sector, we're more than happy for any help we
can get.
Cheers,
Daniel
--
www.owncloud.com <http://www.owncloud.com> - Your Data, Your Cloud,
Your Way!
ownCloud GmbH, GF: Markus Rex, Holger Dyroff
Schloßäckerstrasse 26a, 90443 Nürnberg, HRB 28050 (AG Nürnberg)
_______________________________________________
Owncloud mailing list
[email protected]
https://mail.kde.org/mailman/listinfo/owncloud
_______________________________________________
Owncloud mailing list
[email protected]
https://mail.kde.org/mailman/listinfo/owncloud
