Thanks Amos,
So NTLM has "two steps" authentication which means that there is a basic
negotiation over the http connection to the proxy which makes it less
secure then kerberos.
(speculating)
The main reason it's less secure then kerberos is that every part of the
password negotiation steps is being done in the same channel that the
proxy is being contacted and there for cannot apply a third party
"verification" for the authenticity of any of the tokens.
As a matter of fact NTLM http proxy authentication may be intercepted
and can do lots of bad things to the connections.
I will try to read more about Digest authentication to make sure I will
not create something when it's not needed.
But in any case that there is an option to make the proxy to client
connection one level more secure then plain http proxy port it should be
considered better, right?
Eliezer
On 12/03/2015 04:01, Amos Jeffries wrote:
To answer that you need to define OTP.
* Basic is the only scheme which delivers a password. So technically the
others are all one-use-password schemes already.
* Digest with nonce count 1 is a one-time-token scheme at the message level.
* Negotiate and NTLM are one-time-token schemes at the TCP connection level.
* Basic auth can be one-time-token but requires supporting logic to be
implemented in the clients, server, and a token asignment mechanism. Its
easier to just use Digest in most cases.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
