- From: Wilfred Nilsen <wilfrednilsen@hotmail.com>
- Date: Mon, 25 Jun 2007 17:29:32 +0200
- To: <w3c-dist-auth@w3.org>
- Message-ID: <BAY121-W490A35147833B15D76302BB140@phx.gbl>
> On > http://barracudaserver.com/products/BarracudaDrive/tutorials/mini_redirector.html > there seems to be a major error concerning security and authentication. > > It is the *server* that decides whether it accepts authentication or not. You are probably right in an ideal world, but the software will not be good at interoperating unless you accept both Basic and Digest. In addition, one must also accept the incorrect domain name added by Microsoft WebDAV clients. >So by default, if the connection is not TLS-secured, a server MUST NOT >accept Basic Authentication, and it MUST NOT ask the client for Basic What good is this if a client sends a Basic authentication header anyway? The damage has already happened and any eavesdropper can extract the username and password the client sent.-W _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Received on Monday, 25 June 2007 15:29:49 UTC