Re: NTLM and proxying

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 13 Apr 2001 10:37:23 +0200

Chemolli Francesco (USI) wrote:

> If the pinning was possible, we could even act as a basic-to-NTLM
> bridge for such cases (there was a python app announced of
> freshmeat today that does exactly this). Or maybe we have some
> ways to do this even now?

The bridge/gateway idea sounds interesting.. would allow non-NTLM
browsers to be used to connect to NTLM-only services.

> basic-to-NTLM bridge means:
>
> 1) we see a server reply with Authenticate: NTLM scheme and no
> alternate auth methods offered.
> 2) we strip that out, and replace that with a Basic challenge

Hmm.. if you have pinning then you could just as well implement NTLM
proxying. The more interesting approach would then be to add a Basic
challenge, and optionally (per configuration) filter out NTLM.

Having NTLM proxied outside the LAN is a security risk, as a carefully
crafted NTLM challenge can reveal much details about the NTLM hash of
the user, so I imagine some networks would like to have NTLM proxying
disabled in all cases even if the proxy is capable of handling it.

Perhaps we should have configuration directive to enable/disable wich
authentication methods are forwarded to the browsers, and gateways from
Basic to NTLM and/or Digest where possible (and enabled).

I am a bit reluctant about having auth gatewaying/bridging enabled by
default. Having Basic->NTLM/Digest gatewaying enabled might put the
users at risk if they beleive that a "secure" login mechanism is used
but in fact their login information is sent in plain text between the
browser and proxy.

/ Henrik
Received on Fri Apr 13 2001 - 02:47:23 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:13:45 MST