Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Wich one is more secure WebDAV/SSL or FTP

24 views
Skip to first unread message

Eric Paschoalick Chaves

unread,
Jun 13, 2003, 11:09:29 AM6/13/03
to
Hi Fellows,

I need to allow some users to update files in my IIS server using a
personalized interface (a kind of Explorer, with tree views and folders). I
was thinking about using WebDAV over SSL to make this process secure,
however due to recent secure flaw on MS WebDAV implementation I'm not sure
about.
What do you guys think that has a more "overall" secure, use a SecureFTP
or WebDAV over SSL?

Cheers,

Eric.

Alessandro Perilli

unread,
Jun 13, 2003, 12:09:23 PM6/13/03
to

Eric,
there isn't a correct answer. For sure lastest WebDAV flaws are covering
this protocol by many doubts. On the other hand any FTP implementation
could be discovered vulnerable in any time (usually when you already
choosed and implemented it...).

Did you considered using Windows IPsec filters to secure your personalized
interface traffic (file transfer included)?

--

Alessandro Perilli
Security Consultant / Trainer

MCT - MCSE 2000 SECURITY - LINUX+
CCSI - CCSE 2000 - CCSE+ NG
CCNA - CIWP - CIWSA - CCA XP
SECURITY+

Eric Paschoalick Chaves

unread,
Jun 13, 2003, 1:47:30 PM6/13/03
to
Hi Alessandro,

> there isn't a correct answer. For sure lastest WebDAV flaws are covering
> this protocol by many doubts. On the other hand any FTP implementation
> could be discovered vulnerable in any time (usually when you already
> choosed and implemented it...).

I agree with you. I wish to use WebDAV because it has some concurrence
control (ie file locking mechanism) wich save me from coding that, leaving
me with only the user interface stuff. But, as you have pointed, I'm a
little afraid that future flaws came up. Unfortunelly Miscrosoft Internet
products has a long history with that (for all, I have no intention to
engage in a flame). From my programmer point of view, WebDav will be better
for me.

Could anyone from Microsoft comment the actual situation of the WebDAV
implementation?

> Did you considered using Windows IPsec filters to secure your personalized
> interface traffic (file transfer included)?

Yes, but some workstation (server machines, to be true) has NAT wich
prevents the IPSec to work (AFAIK).

Thanks for the answer,

Eric.


Alessandro Perilli

unread,
Jun 13, 2003, 2:06:34 PM6/13/03
to
On Fri, 13 Jun 2003 14:47:30 -0300, Eric Paschoalick Chaves wrote:

> Yes, but some workstation (server machines, to be true) has NAT wich
> prevents the IPSec to work (AFAIK).

If you use IIS 6.0 this problem is solved.
Look at "Support for IPSec NAT Traversal" in this article:
http://infocenter.cramsession.com/techlibrary/gethtml.asp?ID=1916

Chris Adams

unread,
Jun 14, 2003, 2:34:50 AM6/14/03
to
Hey ~

The situation with WebDAV isn't in fact a WebDAV bug. The problem was that
WebDAV was the engine, or car ya could say that the hackers used to attack
the bug that existed in ntdll.dll.

With that said, we realize that it doesn't matter and that a exploit is an
exploit. Thus, you are wanting our official stance. The exploit in
ntdll.dll has been patched and hence the problem should be mitigated if an
administrator takes precautions.

In short, using WebDAV with SSL should be a good method of accomplishing
what you want. I would recommend, just for performance, that you use IIS
6.0. It has core components that allow many more threads for WebDAV than
that of Windows 2000.

HTH,
~Chris
MS IIS Supportability Lead

"Alessandro Perilli" <pe...@tiscali.it> wrote in message
news:b19crvqlcq2w.1t2ahhhkjp9st$.dlg@40tude.net...

Eric Paschoalick Chaves

unread,
Jun 16, 2003, 8:24:55 AM6/16/03
to
Hi Chris,

I make a "half" agreement with you, an exploit is an exploit, period.
However when exploits came out, they put the entire code in doubt, not only
for it's security risk, but also for the chance of "malfunctions" and wrong
behavior showing up, wich could take weeks to be mapped and solved, and some
times it isn't solved at all. For that, its good to hear that WebDAV wasn't
the "point of failure", this keeps me more confident in using it.
I'd like to take te momento to make one more wuastion, is it possible to
go to IIS 6 without migrating to Win2003? We're planning our migration to
Windows2003, however since it's early launch, I thin I'll wait a few more
before deploying it to my production servers, and on the other hand this
WebDAV solution that I have talked should start next week (time is always
short, isn't? :} )

Finally, could you point me out some good papers about WebDAV security
and management?

Thanks for all help, best regards,

Eric.

"Chris Adams" <chria...@microsoft.com> wrote in message
news:#HgVh7jM...@TK2MSFTNGP11.phx.gbl...

Alessandro Perilli

unread,
Jun 16, 2003, 9:07:24 AM6/16/03
to
On Mon, 16 Jun 2003 09:24:55 -0300, Eric Paschoalick Chaves wrote:

> Finally, could you point me out some good papers about WebDAV security
> and management?

Eric,
did you read these?

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtech
nol/windowsserver2003/proddocs/standard/pub_dav_webdavsecurity.asp

http://www.upenn.edu/computing/eval/2002/webdav/security.html

Eric Paschoalick Chaves

unread,
Jun 16, 2003, 4:06:15 PM6/16/03
to
Hi Alessandro,

I haven't read those yet. Thanks for pointing them.

Best regards,

Eric

"Alessandro Perilli" <pe...@tiscali.it> wrote in message

news:9i5drghpp37f.1g...@40tude.net...

0 new messages