- From: Henrik Nordström <henrik@henriknordstrom.net>
- Date: Thu, 01 Mar 2012 00:21:51 +0100
- To: Adrien de Croy <adrien@qbik.com>
- Cc: ietf-http-wg@w3.org
tor 2012-03-01 klockan 11:57 +1300 skrev Adrien de Croy: > that depends on proxy design. If the challenges and responses are going > over the same TCP connection it's pretty simple. I won't go into this. HTTP is message oriented, not connection oriented. > the main area we see the problem is actually not in proxy auth, but when > a proxy intercepts the connection, requires auth and then the website > requires auth as well. > > It's hard for the proxy to know whether an auth response should be > processed by itself, or upstream. Are you talking of transparent intercepting proxies doing NTLM here? If you do then please stop, that's just happens to work because the security model of NTLM is plain broken broken allowing it to be abused in mitm attacks in completely insecure manners. end of discussion. Please let NTLM die a painful death. > In most cases though where this happens, wouldn't the upstream proxies > be within the same administrative domain? e.g. so creds should work, > and leakage shouldn't be a problem. Even that assumption only holds for basic auth. With anything else it breaks. Regards Henrik
Received on Wednesday, 29 February 2012 23:22:20 UTC