On Wed, Feb 22, 2017 at 11:34:19PM +0000, brian m. carlson wrote: > Browsers usually disable this feature by default, as it basically will > attempt to authenticate to any site that sends a 401. For Kerberos > against a malicious site, the user will either not have a valid ticket > for that domain, or the user's Kerberos server will refuse to provide a > ticket to pass to the server, so there's no security risk involved. > > I'm unclear how SPNEGO works with NTLM, so I can't speak for the > security of it. From what I understand of NTLM and from RFC 4559, it > consists of a shared secret. I'm unsure what security measures are in > place to not send that to an untrusted server. > > As far as Kerberos, this is a desirable feature to have enabled, with > little downside. I just don't know about the security of the NTLM part, > and I don't think we should take this patch unless we're sure we know > the consequences of it. Hmm. That would be a problem with my proposed patch 2 then, too, if only because it turns the feature on by default in more places. If it _is_ dangerous to turn on all the time, I'd think we should consider warning people in the http.emptyauth documentation. -Peff