[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: RE: Proxy authentication with Negotiate uses wrong host

From: Greg Hudson <ghudson_at_MIT.EDU>
Date: Thu, 25 Aug 2011 03:19:57 -0400

On Wed, 2011-08-24 at 07:42 -0400, 1983-01-06_at_gmx.net wrote:
> Are you refering to sole Kerberos or are you just concerned about
> transport encryption? Your statement somewhat irritates me.
> Given that the HTTP traffic cannot be securely wrapped into the GSS
> content and nor the SASL QOP can be set (like for LDAP), I would
> neglect that and still say TLS is not of your concern but of mine or
> the users in general.

Any authentication-only mechanism used over an insecure channel is
vulnerable to MITM attacks which preserve the authentication and change
the data. Of course, this applies to HTTP basic and digest over raw
HTTP just as much as it does to negotiate, so perhaps it doesn't make
sense to restrict negotiate auth to HTTPS only on this basis alone.

A further concern with HTTP negotiate is that it is scoped to the TCP
connection and not to a single HTTP request. Ignorant proxies may
combine TCP connections for multiple users' requests and inadvertently
authenticate one users' requests with anothers' credentials. I may be
wrong, but I believe this is the concern which leads implementations to
restrict NTLM to HTTPS. Switching from NTLM to Kerberos does not
mitigate this concern at all. If there are other vulnerabilities in
NTLM which don't presuppose an MITM attack, perhaps I'm wrong.
Received on 2011-08-25 09:21:07 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.