Re: NTLM question

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Wed, 22 Aug 2001 00:58:05 +0200

"Chemolli Francesco (USI)" wrote:

> I contend this. It is popular in MS-only or almost-MS-only enterprises
> for intranets because it allows single-sign-on.
> Anybody using it over the internet should be beaten to a bloody pulp. For
> instance
> accessing a site via a transparent proxy (as many ISPs seem to be doing
> currently)
> would not work.

And a browser author writing a browser that accepts doing NTLM to Internet
hosts should be beaten even harder, as it is then cryptographically quite
trivial to deduce the users private password hash, or even simpler to simply
use the information provided by the browser to log on to resources in the
users domain..

Note: This also applies to UNC file: URL's.

--
Henrik
Received on Tue Aug 21 2001 - 18:03:22 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:14 MST