> > MS Proxy (and IIS) come with a proprietary authentication
> > method 'NTLM'. IE
> > will automatically use the users cached MS network password hash to
> > authenticate using NTLM to local servers (including proxies).
>
> It will also authenticate against remote servers (sic).
> The NTLM authentication scheme does not send the password
> over the wire, but is quite vulnerable to brute-force attacks
> if the server's administrator is trying to determine his callers'
> passwords. This has been reported as the source of a number
> of security vulnerabilities in Windows. Check BugTraq for more
> info.
Very true. It's also open to chosen-challenge attacks, I think MS altered IE
to only automatically response to a challenge if the server is a) a
configured proxy or b) in the local intranet/trusted server zones. In short
while it's better than plaintext, it's not that much better.
> > All win32
> > versions of IE from 3.02 and above support this.
>
> Only in Win9X/ME and WinNT/2k. Apparently the feature requires
> some support from the system, which Windows 3.XX doesn't offer.
I meant "win32 versions" to cover that. I don't know if solaris is covered -
anyone out there know?
-- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Mon Oct 16 2000 - 01:54:25 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:45 MST