Jeff King <peff@xxxxxxxx> writes: > On Wed, Feb 22, 2017 at 11:34:19PM +0000, brian m. carlson wrote: > >> Browsers usually disable this feature by default, as it basically will >> attempt to authenticate to any site that sends a 401. For Kerberos >> against a malicious site, the user will either not have a valid ticket >> for that domain, or the user's Kerberos server will refuse to provide a >> ticket to pass to the server, so there's no security risk involved. >> >> I'm unclear how SPNEGO works with NTLM, so I can't speak for the >> security of it. From what I understand of NTLM and from RFC 4559, it >> consists of a shared secret. I'm unsure what security measures are in >> place to not send that to an untrusted server. >> >> As far as Kerberos, this is a desirable feature to have enabled, with >> little downside. I just don't know about the security of the NTLM part, >> and I don't think we should take this patch unless we're sure we know >> the consequences of it. > > Hmm. That would be a problem with my proposed patch 2 then, too, if only > because it turns the feature on by default in more places. > > If it _is_ dangerous to turn on all the time, I'd think we should > consider warning people in the http.emptyauth documentation. Yeah, http.<url>.emptyAuth that knows where it is going may be a lot safer but a blanket http.emptyAuth does sound bad.