Re: [squid-users] Security of NTLM authentication

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 03 Jun 2009 11:59:25 +1200

On Tue, 02 Jun 2009 19:44:03 -0300, Leonardo Rodrigues
<leolistas_at_solutti.com.br> wrote:
> Hello Guys,
>
> a simple question ..... i know that basic authentication schemas
> transmit username/password in cleartext over the wire. It' base64
> encoded, but it's trivially detected and decoded, which make them not
> the most secure ones to use.
>
> do NTLM authentication schemas are more secure than basic ones, i
> mean, do NTLM authentication schema transmit cleartext (or simply
> encoded) username/passwords over the wire ?

NTLM uses a side channel directly between the domain control server and the
machine needing to check auth. I'm not sure how that is coded. The HTTP
side of the triangle includes a hash of the credentials.

One thing to be wary of is that NTLM hash strength is pretty much limited
by the Windows releases involved. The older versions used by Win9x are
hashes which are now trivially broken, none are completely secure. The
latest windows releases have deprecated it in favor of the much more secure
Kerberos (but that won't work with anything much older than XP and IE6).

There is also digest authentication, which is the IETF standard for secure
authentication over HTTP. Some people actually use it too. And it works
without needing windows or domain controllers.

Amos
Received on Tue Jun 02 2009 - 23:59:31 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 03 2009 - 12:00:02 MDT