Search squid archive

Re: Security of NTLM authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 02 Jun 2009 19:44:03 -0300, Leonardo Rodrigues
<leolistas@xxxxxxxxxxxxxx> wrote:
> Hello Guys,
> 
>     a simple question ..... i know that basic authentication schemas 
> transmit username/password in cleartext over the wire. It' base64 
> encoded, but it's trivially detected and decoded, which make them not 
> the most secure ones to use.
> 
>     do NTLM authentication schemas are more secure than basic ones, i 
> mean, do NTLM authentication schema transmit cleartext (or simply 
> encoded) username/passwords over the wire ?

NTLM uses a side channel directly between the domain control server and the
machine needing to check auth. I'm not sure how that is coded. The HTTP
side of the triangle includes a hash of the credentials.

One thing to be wary of is that NTLM hash strength is pretty much limited
by the Windows releases involved. The older versions used by Win9x are
hashes which are now trivially broken, none are completely secure. The
latest windows releases have deprecated it in favor of the much more secure
Kerberos (but that won't work with anything much older than XP and IE6).

There is also digest authentication, which is the IETF standard for secure
authentication over HTTP. Some people actually use it too. And it works
without needing windows or domain controllers.

Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux