In Mountain Duck (and Cyberduck) upon authentication if username and password is given before first request it will automatically try to send the Authorization BasicAuth header on first request. The problem is that if the protocol chosen is HTTP it will send the username and password unprotected on first try. There is no way to protect the user on server side to prevent user credentials from leaking. For example WebDAVFS - Native Mac OSX WebDAV client (and probably davfs) fix this by sending OPTIONS request first and then based on response adjust the settings or show a warning. If for example client gets 301 response to HTTPS, it changes the url to HTTPS and remembers it for next requests. On Cyberduck or Mountain duck this is not the case and every single request first gets sent over HTTP and later after 301 redirect to HTTPS it tries to send it over HTTPS.
So what would needed to be done:
make Mountain duck and Cyberduck first try to send OPTIONS request and acknowledge if the response is 301 (redirect) to HTTPS
make sure to remember HTTPS or other address if 301 was given to that protocol for next requests
If 403 (forbidden) was return after first OPTIONS packet, meaning server doesn't allow HTTP connection it should maybe somehow warn the user, but most importantly not allow the client to send user credentials.
Mainly it should be possible to protect user credentials by settings on server end side like forbidding access over HTTP or redirecting them to secure connection, without leaking the user credentials.
The text was updated successfully, but these errors were encountered: