WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: (Fwd) RE: NTLM HTTP Authentication is insecure by design - a n

From: "Cyrill Osterwalder" <cyrill.osterwalder () seclutions com>
Date: Fri, 12 Aug 2005 09:10:06 +0200

Amit Klein and I went into more details about using NTLM authentication for
Web application environments in a discussion off the list. We came to a
mutual understanding and the summary could be useful for the list readers as
well as it supports the concerns brought up by Amit in the first place about
NTLM connections in general.

[Amit Klein wrote:]

With respect to your explanation, and making sure I understand it:

1. You do not maintain NTLM authenticated connection 
with the web server.

2. Your solution requires modification to the web application (changing the

NTLM 

authentication into other, non-connection oriented authentication methods).

3. Your solution uses an NTLM login server, which means essentially 
that AirLock perform 
the NTLM authentication (more accurately, it "outsources" it to the 
login server, but from 
the web server's perspective, AirLock "handles" the NTLM authentication).
However, I think that this approach, while 100% 
legitimate (and obviously, since it 
simply works in the field, as you testify), is not what the 
average WebAppSec reader would 
consider as "pooling NTLM connections". I think this point 
needs to be clarified.


Your summary is absolutely correct. There are always different angles to look
at something. After our discussions I can only agree with your approach to
warn people about pooling NTLM connections to back-end servers in a proxy
server. Our customer driven concept is clearly motivated by leveraging the
NTLM as authentication for the users but it does not pool NTLM connections to
back-end servers. Because that would be, as you correctly describe in your
write-up, not secure. We do not solve the technical NTLM problem itself (as
this can probably not be solved without changing NTLM over HTTP) but we
enable NTLM usage for proxy authentication environments. The detailed
differences between the pooled NTLM connections you address and the way we
support NTLM as a single-sign on authentication to Web application
environments are now much clearer. Thanks for that.

Best regards

Cyrill Osterwalder

Chief Technology Officer
Seclutions AG

http://www.seclutions.com
Previous By Date Next
Previous By Thread Next

Current thread: