iDisk security problem in 10.1

LordOphidian

Adjutant On-Line
Ok, Apples implementation of WebDAV violates the standards for WebDAV and sends passwords in plaintext. This means that when you connect to your iDisk your password is sent in paintext over the net, making it possilbe to sniff your password and get access to your iDisk, and mac.com email account.

Read more about it here:
http://www.securemac.com/macosxidisk.php
 

billybob

Registered
I know next to nothing about webdav, but either it's REALLY REALLY slow or apple's implementation is REALLY REALLY bad. iDisk is so slow it's nearly unusable in 10.1. After reading that article, I see that they switched from AFP to webdav. So, following the advice in that article, I went to "Connect to Server" and typed

afp://idisk.mac.com

not only is iDisk much much faster conecting this way, it also doesn't send my password in cleartext over internet (as talked about in the article).

So, I recommend everyone use iDisk this way. It's faster and more secure :)
 

LordOphidian

Adjutant On-Line
I think that Apple managed to nerf WebDAV in 10.1. Im not sure but I seem to remember hearing it was pretty good in 10.0.4, but yeah afp is faster right now. The original idea for going to WebDAV is that WebDAV should in theory be faster i belive, and it doesn't disconnect if its not used for a certian amount of time. Sounds good, except for the fact that its nerfed in 10.1.

Maybe 10.1.1 will fix this, but speed aside, sending the password in cleartext is just dropping the ball on the security aspect, expecialy when, aparently, the WebDAV standard calls for this to not be the case.
 
Top