WebDAV Client – Windows 7

You may also like...

4 Responses

  1. dwarf says:

    This is highly unsatisfying. But you shouldn’t blame MS for using the more secure authentication method (Digest). Digest must have been around for more than five years??

    To my knowledge the password encryption is done on the client (webbrowser) and then sent to the server.
    This uses username, password and “realm”, which is sent by the server. And this hash will of course not match the hash in the LDAP directory, as the LDAP does not care about realm (and there can be several).

    There is really no solution, except you change the client hash function. Imagine:
    The client uses md5 to hash the password only. This hash is then, together with the username and realm, used to generate a second hash.
    This second hash is transmitted to the server, and the server does the same. Except that the password hash is taken from the ldap.

    This requires a new http-standard? or where is webdav defined?

    • Jon says:

      The problem is that Digest is only mildly more secure than plain text. Yes, it is hashed, but it is MD5 level. So broken that you are almost better off not using it.

      And you are correct on how it functions, client hashes, sends to server, server verifies with it’s already stored hash. In order to “fix” this for LDAP, you’d have to get the client to hash differently (Which won’t happen because Digest is defined by it’s hash method), and get support mod_ldap to add digest support.

      Really the answer is using SSL, and Microsoft not arbitrarily un-supporting standards (ha!)

    • Evili says:

      “This is highly unsatisfying. But you shouldn’t blame MS for using the more secure authentication method (Digest).”

      Sorry, IMHO this is blame for MS since the WebDAV protocols does not state that digest auth is needed. In fact WebDAV had nothing to do with authentication and authorization; this is a task for the server implementation. Making this “ad hoc” choice of “only digest” it a typical “ME-MI-MINE only” tactics of MS.

  1. 2010-08-26

    […] This post was mentioned on Twitter by Jon, John. John said: RT @ShakataGaNai: [Blog] WebDAV Client – Windows 7 http://bit.ly/bzHVxI […]

Leave your thoughts

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: