W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > April to June 2007

RE: Need feedback on new Mini-Redirector tutorial

From: Wilfred Nilsen <wilfrednilsen@hotmail.com>
Date: Mon, 25 Jun 2007 17:29:32 +0200
Message-ID: <BAY121-W490A35147833B15D76302BB140@phx.gbl>
To: <w3c-dist-auth@w3.org>

> On > http://barracudaserver.com/products/BarracudaDrive/tutorials/mini_redirector.html > there seems to be a major error concerning security and authentication. > > It is the *server* that decides whether it accepts authentication or not.

You are probably right in an ideal world, but the software
will not be good at interoperating unless you accept both Basic and Digest. In
addition, one must also accept the incorrect domain name added by Microsoft
WebDAV clients. 



>So by default, if the connection is not TLS-secured, a
server MUST NOT 
>accept Basic Authentication, and it MUST NOT ask the client for Basic 

What good is this if a client sends a Basic authentication
header anyway? The damage has already happened and any eavesdropper can extract
the username and password the client sent.-W

 


_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Received on Monday, 25 June 2007 15:29:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:15 GMT