[Webkit-unassigned] [Bug 122952] [GTK][WPE] Support NTLM authentication
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Sep 9 06:47:52 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=122952
--- Comment #25 from Michael Catanzaro <mcatanzaro at gnome.org> ---
(In reply to Michael Catanzaro from comment #24)
> Hm, yes, works in MiniBrowser for me too. Well, this is a one-liner to fix
> in WebKit, then, unless we want all the plumbing to keep in disabled by
> default. I'll ask Dan Winship to comment. His opinion was previously that we
> should not enable NTLM by default, but it's clear that Firefox does, so
> ?????.
Reading comment #0, I see the concern is that a MITM attacker can force the browser to give up cached credentials if authentication occurs via http:// rather than https://:
(In reply to Brian Holt from comment #0)
> From Dan Winship:
> There are some arguments against enabling it by default; if you have the
> client-side samba stuff installed, and are logged into a Windows domain,
> then NTLM authentication can happen completely transparently (ie, no
> "authenticate" signal, no password dialog) using the cached credentials, and
> there are attacks against intranets that you could make using that
> functionality if you could hijack someone's http connection... so it's best
> to only have it get used when the app is explicitly expecting it to be used
> (as in evolution).
Well, that applies to other authentication schemes as well, since, as I just described, Ephy caches credentials for all schemes. Epiphany segregates this by protocol, so credentials for an https:// page will never be used for an http:// page. Regardless of whether or not Samba does that, I understand NTLM is considered generally insecure, so hopefully organizations that care about security won't use it. And certainly we don't have to be more secure than Firefox. So I guess enabling it by default is OK.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200909/4c3acb39/attachment.htm>
More information about the webkit-unassigned
mailing list