WebApp Sec mailing list archives
RE: (Fwd) RE: NTLM HTTP Authentication is insecure by design - a n
From: "Cyrill Osterwalder" <cyrill.osterwalder () seclutions com>
Date: Fri, 12 Aug 2005 09:10:06 +0200
Amit Klein and I went into more details about using NTLM authentication for Web application environments in a discussion off the list. We came to a mutual understanding and the summary could be useful for the list readers as well as it supports the concerns brought up by Amit in the first place about NTLM connections in general. [Amit Klein wrote:]
With respect to your explanation, and making sure I understand it: 1. You do not maintain NTLM authenticated connection with the web server. 2. Your solution requires modification to the web application (changing the
NTLM
authentication into other, non-connection oriented authentication methods). 3. Your solution uses an NTLM login server, which means essentially that AirLock perform the NTLM authentication (more accurately, it "outsources" it to the login server, but from the web server's perspective, AirLock "handles" the NTLM authentication). However, I think that this approach, while 100% legitimate (and obviously, since it simply works in the field, as you testify), is not what the average WebAppSec reader would consider as "pooling NTLM connections". I think this point needs to be clarified.
Your summary is absolutely correct. There are always different angles to look at something. After our discussions I can only agree with your approach to warn people about pooling NTLM connections to back-end servers in a proxy server. Our customer driven concept is clearly motivated by leveraging the NTLM as authentication for the users but it does not pool NTLM connections to back-end servers. Because that would be, as you correctly describe in your write-up, not secure. We do not solve the technical NTLM problem itself (as this can probably not be solved without changing NTLM over HTTP) but we enable NTLM usage for proxy authentication environments. The detailed differences between the pooled NTLM connections you address and the way we support NTLM as a single-sign on authentication to Web application environments are now much clearer. Thanks for that. Best regards Cyrill Osterwalder Chief Technology Officer Seclutions AG http://www.seclutions.com
Current thread:
- RE: (Fwd) RE: NTLM HTTP Authentication is insecure by design - a n Cyrill Osterwalder (Aug 12)