Re: [Fwd: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein]

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 5 Aug 2005 14:03:37 +0200 (CEST)

On Wed, 20 Jul 2005, Kinkie wrote:

> IIRC we _do_ have provisions in place to avoid this kind of problems.

We do. For a start we refuse to forward NTLM or Negotiate authentication
as mentioned in the paper (Scope of attack) completely eleminating the
issue. And in addition we also send the Via header.

We also have quite strong protections from request smuggling/splitting,
and relatively strong protections against response splitting as discussed
by the two referenced papers.

Squid-3 still is a bit behind in these matters, but it will catch up.

>> Scope of the attack
>> ===================
>>
>> *) Not all proxy servers honor NTLM authentication. Squid, for one,
>> deliberately doesn't support NTLM
>> (http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.14). Indeed,
>> Squid seems to strip off the WWW-Authenticate header if it contains
>> NTLM or Negotiate, thereby effectively disabling NTLM authentication
>> between the client and the web server. But as mentioned above, there
>> are some proxy servers that do support NTLM authentication, such as
>> Sun Proxy 4.

>> *) The web server (IIS/6.0) must receive a Via-less request. The
>> Microsoft implementation assumes that the Via header is always sent
>> by a proxy server, and this is indeed mandated by the HTTP/1.1 RFC
>> 2616 (http://www.ietf.org/rfc/rfc2616.txt), section 14.45:

Regards
Henrik
Received on Fri Aug 05 2005 - 06:03:42 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Aug 31 2005 - 12:00:06 MDT