gnu-arch-users
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnu-arch-users] Re: WebDAV


From: Robin Green
Subject: Re: [Gnu-arch-users] Re: WebDAV
Date: Fri, 9 Apr 2004 20:26:36 +0100
User-agent: Mutt/1.5.4i

On Fri, Apr 09, 2004 at 02:00:37PM -0400, Eric S. Johansson wrote:
> OK, this looks fairly simple.  In its raw form it's probably read/write 
> without authentication from your comments about .htaccess.  first 
> question: how can we make it more failsafe to prevent unintended 
> unrestricted write access?  Second,  what authentication systems can we 
> use that aren't so fragile as HTTP basic authentication?

HTML forms or whatever you want, over HTTPS?

But then, unless you pay a well-known CA, you have the "man in the middle
stealing your password using a fake certificate" vulnerability, which is
why it's better to use sftp IMO.

>  Can we use 
> digest?  http://httpd.apache.org/docs/howto/auth.html#digest

Hmm, sounds like it might actually be more secure than HTTPS in practice
for this purpose, because the password can't be stolen even by a man
in the middle, and nor can a man in the middle interfere with a request.

Another possibility is chrootssh.sf.net :) I like that one best actually,
because a simple chroot with only like 3 archives in it would be
really really easy to manage.

> it would be preferable if the webdav methods supported some form of 
> cookie system.

Why? Efficiency? With chrootssh you would get the efficiency by only having
to authenticate once.

-- 
Robin

Attachment: pgppPbzXDoGLL.pgp
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]