Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Propose protocol change to HTTPS if server responds with redirect #9073

Closed
cyberduck opened this issue Oct 27, 2015 · 4 comments
Closed

Propose protocol change to HTTPS if server responds with redirect #9073

cyberduck opened this issue Oct 27, 2015 · 4 comments
Assignees
Labels
enhancement fixed webdav
Milestone

Comments

@cyberduck
Copy link
Collaborator

cyberduck commented Oct 27, 2015

fede2df created the issue

In Mountain Duck (and Cyberduck) upon authentication if username and password is given before first request it will automatically try to send the Authorization BasicAuth header on first request. The problem is that if the protocol chosen is HTTP it will send the username and password unprotected on first try. There is no way to protect the user on server side to prevent user credentials from leaking. For example WebDAVFS - Native Mac OSX WebDAV client (and probably davfs) fix this by sending OPTIONS request first and then based on response adjust the settings or show a warning. If for example client gets 301 response to HTTPS, it changes the url to HTTPS and remembers it for next requests. On Cyberduck or Mountain duck this is not the case and every single request first gets sent over HTTP and later after 301 redirect to HTTPS it tries to send it over HTTPS.

So what would needed to be done:

  • make Mountain duck and Cyberduck first try to send OPTIONS request and acknowledge if the response is 301 (redirect) to HTTPS
  • make sure to remember HTTPS or other address if 301 was given to that protocol for next requests
  • If 403 (forbidden) was return after first OPTIONS packet, meaning server doesn't allow HTTP connection it should maybe somehow warn the user, but most importantly not allow the client to send user credentials.

Mainly it should be possible to protect user credentials by settings on server end side like forbidding access over HTTP or redirecting them to secure connection, without leaking the user credentials.

@cyberduck
Copy link
Collaborator Author

cyberduck commented Oct 27, 2015

@dkocher commented

You can disable this by setting the property webdav.basic.preemptive to false. Refer to Hidden configuration options.

defaults write io.mountainduck webdav.basic.preemptive false

@cyberduck
Copy link
Collaborator Author

cyberduck commented Oct 27, 2015

@dkocher commented

What is described in this ticket is implemented for FTP when the user is prompted to switch to TLS connection if the server advertises support.

@cyberduck
Copy link
Collaborator Author

cyberduck commented Jan 18, 2016

@dkocher commented

We currently do warn users about sending the Basic authentication header over HTTP with the default settings.

@cyberduck
Copy link
Collaborator Author

cyberduck commented Jan 19, 2016

@dkocher commented

In 19077.

@iterate-ch iterate-ch locked as resolved and limited conversation to collaborators Nov 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
enhancement fixed webdav
Projects
None yet
Development

No branches or pull requests

2 participants