WebDAV and authentication types


#1

Hi,

It seems that XP and Vista disallow Basic Authentication for WebDAV / Web Folders by default. Although it is possible to override this setting by editing the registry, is there any reason why DH is using the relatively insecure Basic Authentication as opposed to more secure methods? It seems that MS recommends Kerberos or NTLM.

Cheers


#2

Kerberos requires a significant amount of infrastructure to implement (several dedicated key servers, and many headaches), and NTLM is Windows-only. I’ve created an issue for the developers to look into at some point, though.

If you’re really concerned about security for your WebDAV directories, though, we highly recommend setting it up on an HTTPS domain.


#3

Thanks for your reply. I didn’t realize it was such a task to implement. What about moving over to digest authentication which is not much more secure, but seems a little better than cleartext passwords. I use it with .htaccess even though DH’s default .htaccess authentication is basic.


#4

The issue with switching to Digest authentication for WebDAV is that some older clients may not support it — and Digest authentication is not backwards-compatible with Basic auth, so switching to Digest would prevent those clients from working at all.