RE: Proxy authentication with Negotiate uses wrong host

From: Greg Hudson <ghudson_at_MIT.EDU>
Date: Wed, 24 Aug 2011 07:28:37 -0400

On Wed, 2011-08-24 at 05:52 -0400, Bert Huijben wrote:
> Then somebody added Kerberos support to neon, but the api wasn't
> updated to allow different behavior for the specific implementations.

Kerberos via HTTP negotiate is also insecure when not used over HTTPS.
In HTTP negotiate, the GSSAPI mechanism (Kerberos) isn't used to protect
the data stream, only to authenticate. So you still need a secure
channel.

(Also, negotiate auth does no channel binding, which means Kerberos
provides no additional protection against MITM attacks on the TLS
channel. That just means it's still important for the client to verify
the server cert. I've heard that Microsoft has some extensions to RFC
4559 to do channel binding, but I don't know any details and Neon almost
certainly doesn't have any support for it.)
Received on 2011-08-24 13:29:32 CEST

This message: [ Message body ]
Next message: Hyrum K Wright: "Re: rc1 is DOA. What now?"
Previous message: Julian Foad: "Re: rc1 is DOA. What now?"
In reply to: Bert Huijben: "RE: Proxy authentication with Negotiate uses wrong host"
Next in thread: 1983-01-06_at_gmx.net: "Re: RE: Proxy authentication with Negotiate uses wrong host"
Reply: 1983-01-06_at_gmx.net: "Re: RE: Proxy authentication with Negotiate uses wrong host"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]