Security of WebDav


#1

Before I dig out a packet sniffer, does anyone know if dreamhost webdav supports digest authentication?

Not using SSL and the data isn’t that critical, but don’t want the user/pass with edit perms to be in cleartext.


#2

Digest authentication is not supported for WebDAV folders, as far as I can tell. The directory is not accessible via the shell once WebDAV is activated in the panel. Any existing .htaccess file is deleted, as well. So trying to plant one with Digest auth before activating in the panel won’t work. Likewise, you can’t turn “DAV on” in an .htaccess file and just bypass the panel.

I’m stumped at this point. I’d really like to be able to use WebDAV with Digest passwords. But I can’t. Any help, Dreamhost?

A broader question: can we just do away permanently and across the board with passwords in the clear as the default option? Passwords in the clear should be a selectable option to support broken clients. But they should never be the default option.

-B…


#3

Digest authentication is (was?) still not much more secure than Basic according to http://httpd.apache.org/docs/1.3/howto/auth.html#digestcaveat (which is out of date, but may still appy) as that says quote[that digested password is really all the information required to access the web site]. But to really investigate that (as to see if it’s still true), the latest docs appear to be at http://httpd.apache.org/docs/trunk/mod/mod_auth_digest.html

Also, since you know stuff as quote[you can’t turn “DAV on” in an .htaccess file and just bypass the panel] (bummer!, BTW), then can you help with my issue detailed at
http://wiki.dreamhost.com/WebDAV#create_.26_edit_one.27s_own_Htaccess_.26_.password_files_.28on_Dreamhost_WebDAV.29 ??