On Thursday, August 31, 2017 at 3:12:10 PM UTC+2, Lost Admin wrote: > > Safety/security concerns with WebDav: >
Well written! > WebDav is conceptually a share network folder (so much so you can mount > them with a drive letter on Windows) that is provided over HTTP. This means > anyone who can access the webdav url can read, write, and delete to all the > files available there. This includes making new directories. > Somewhere I read, that starting with IIS-7 write commands have to use basic-auth as minimal requirement. > To protect it, one typically uses HTTP Basic (or Digest) Authentication > (part of the web server set-up). With basic authentication that means the > password (and user name) are going across the network (including Internet > when doing so remotely) in clear text and anyone who sees the traffic can > read the login credentials. Using digest authentication reduces this risk > as the password is no longer sent across the network. Usually it is > recommended that you use HTTPS for webdav and not allow HTTP (unencrypted) > connections. However, SSL/TLS has a lot of insecure configurations, so you > need to know what you are doing (and what encryption protocols to allow). > Therefore IMO you have to use HTTPS as a minimal requrement if you face the internet. ... snip ... > If you are extremely paranoid, you can set-up SSL/TLS client > authentication which would require the browser to have a specific > certificate (similar to the way the server needs one for HTTPS). > IMO no need to be extreamly paranoid. .. It's just a very convenient and secure workflow, once you could manage the certificate deployment. You could set-up your own carddav (address book) or caldav (calendar) > server. > That's a nice plus have fun! mario -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/tiddlywiki. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/5179e9bb-ca5b-4916-9050-3c6b5ef9a8a8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
