RE: [squid-users] Re: ntlm won't prompt

From: Adam Aube <aaube@dont-contact.us>
Date: Fri, 11 Jul 2003 08:26:29 -0400

> The NTLM over HTTP is fundamentally broken in it's design and should
> never have seen the light. A classical "do it our way without regards
> to standards" invention by Microsoft.

Yes, NTLM is horribly broken - just like almost everything developed by
Microsoft. The only reason I recommend it is because of the single sign
on capability it offers, that both basic and digest do not offer.

> The exact same thing (automatic single sign on, without risking the
> users private password) is fully possible to do with Digest MD5-sess
> authentication, and I wish browser and OS vendors would see the light
> and do so.

You're right - the integration shouldn't be too difficult either. There
would have to be some standard for the realm string (DNS domain name would
be a good pick), and the OS would have to store MD5(username:realm:password)
in its password database.

It's just an issue of getting the vendors to support it - the OS vendors
would have to support it first. AFAIK, even Linux doesn't support it.

What about wrapping basic auth in SSL?

Adam

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001
Received on Fri Jul 11 2003 - 06:26:34 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:56 MST