[Cyberduck-trac] [Cyberduck] #9073: BasicAuth header being sent on first request

Cyberduck trac at trac.cyberduck.io
Tue Oct 27 08:57:04 UTC 2015 

#9073: BasicAuth header being sent on first request
----------------------------+----------------------
 Reporter:  rok             |         Owner:
     Type:  defect          |        Status:  new
 Priority:  normal          |     Milestone:
Component:  mountain duck   |       Version:  4.7.3
 Severity:  normal          |    Resolution:
 Keywords:                  |  Architecture:  Intel
 Platform:  Mac OS X 10.11  |
----------------------------+----------------------
Changes (by rok):

 * type:  enhancement => defect


Old description:

> In Mountain Duck the BasicAuth header is being sent on first try unlike
> on Cyberduck, where it tries to login anonymously. So if for an instance
> you decide to return 403 forbidden error on server in case a user tries
> to access WebDAV through HTTP it simply aborts the login process in
> Cyberduck and the user credentials are not being sent. However that is
> not the case with Mountain duck. I do notice that it warns the user about
> sending username and password in plain text, but there could be another
> layer of security that at first tries to connect to server over HTTP and
> if it gets Forbidden or some sort of an error that it displays it to the
> user, instead of blindly sending the BasicAuth credentials.

New description:

 In Mountain Duck (and Cyberduck) upon authentication if username and
 password is given before first request it will automatically try to send
 the Authorization BasicAuth header on first request. The problem is that
 if the protocol chosen is HTTP it will send the username and password
 unprotected on first try. There is no way to protect the user on server
 side to prevent user credentials from leaking. For example WebDAVFS -
 Native Mac OSX WebDAV client (and probably davfs) fix this by sending
 OPTIONS request first and then based on response adjust the settings or
 show a warning. If for example client gets 301 response to HTTPS, it
 changes the url to HTTPS and remembers it for next requests. On Cyberduck
 or Mountain duck this is not the case and every single request first gets
 sent over HTTP and later after 301 redirect to HTTPS it tries to send it
 over HTTPS.

 So what would needed to be done:
  - make Mountain duck and Cyberduck first try to send OPTIONS request and
 acknowledge if the response is 301 (redirect) to HTTPS
  - make sure to remember HTTPS or other address if 301 was given to that
 protocol for next requests
  - If 403 (forbidden) was return after first OPTIONS packet, meaning
 server doesn't allow HTTP connection it should maybe somehow warn the
 user, but most importantly not allow the client to send user credentials.

 Mainly it should be possible to protect user credentials by settings on
 server end side like forbidding access over HTTP or redirecting them to
 secure connection, without leaking the user credentials.

--

-- 
Ticket URL: <https://trac.cyberduck.io/ticket/9073#comment:1>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows

More information about the Cyberduck-trac mailing list