Cyberduck Mountain Duck CLI

#9073 closed enhancement (fixed)

Propose protocol change to HTTPS if server responds with redirect

Reported by: rok Owned by: dkocher
Priority: normal Milestone: 4.8
Component: webdav Version: 4.7.3
Severity: normal Keywords:
Cc: Architecture: Intel
Platform: Mac OS X 10.11

Description (last modified by rok)

In Mountain Duck (and Cyberduck) upon authentication if username and password is given before first request it will automatically try to send the Authorization BasicAuth header on first request. The problem is that if the protocol chosen is HTTP it will send the username and password unprotected on first try. There is no way to protect the user on server side to prevent user credentials from leaking. For example WebDAVFS - Native Mac OSX WebDAV client (and probably davfs) fix this by sending OPTIONS request first and then based on response adjust the settings or show a warning. If for example client gets 301 response to HTTPS, it changes the url to HTTPS and remembers it for next requests. On Cyberduck or Mountain duck this is not the case and every single request first gets sent over HTTP and later after 301 redirect to HTTPS it tries to send it over HTTPS.

So what would needed to be done:

  • make Mountain duck and Cyberduck first try to send OPTIONS request and acknowledge if the response is 301 (redirect) to HTTPS
  • make sure to remember HTTPS or other address if 301 was given to that protocol for next requests
  • If 403 (forbidden) was return after first OPTIONS packet, meaning server doesn't allow HTTP connection it should maybe somehow warn the user, but most importantly not allow the client to send user credentials.

Mainly it should be possible to protect user credentials by settings on server end side like forbidding access over HTTP or redirecting them to secure connection, without leaking the user credentials.

Change History (9)

comment:1 Changed on Oct 27, 2015 at 8:57:00 AM by rok

  • Description modified (diff)
  • Type changed from enhancement to defect

comment:2 Changed on Oct 27, 2015 at 8:59:28 AM by dkocher

  • Component changed from mountain duck to webdav
  • Owner set to dkocher
  • Summary changed from BasicAuth header being sent on first request to Basic Authentication header sent prematurely

comment:3 Changed on Oct 27, 2015 at 9:01:51 AM by dkocher

You can disable this by setting the property webdav.basic.preemptive to false. Refer to Hidden configuration options.

defaults write io.mountainduck webdav.basic.preemptive false

comment:4 Changed on Oct 27, 2015 at 9:07:53 AM by dkocher

What is described in this ticket is implemented for FTP when the user is prompted to switch to TLS connection if the server advertises support.

comment:5 Changed on Oct 27, 2015 at 9:08:17 AM by dkocher

  • Milestone set to 4.8
  • Status changed from new to assigned
  • Type changed from defect to enhancement

comment:6 Changed on Jan 18, 2016 at 5:17:11 PM by dkocher

We currently do warn users about sending the Basic authentication header over HTTP with the default settings.

comment:7 Changed on Jan 18, 2016 at 5:19:04 PM by dkocher

  • Milestone changed from 4.8 to 5.0

comment:8 Changed on Jan 18, 2016 at 5:19:45 PM by dkocher

  • Summary changed from Basic Authentication header sent prematurely to Propose protocol change to HTTPS if server responds with redirect

comment:9 Changed on Jan 19, 2016 at 1:26:24 PM by dkocher

  • Milestone changed from 5.0 to 4.8
  • Resolution set to fixed
  • Status changed from assigned to closed

In r19077.

Note: See TracTickets for help on using tickets.