[tbb-dev] NTLM authentication (was: [tor-qa] Testing ESR 31 based Nightlies)
Lunar
lunar at torproject.org
Wed Oct 1 23:14:54 UTC 2014
[switching list to the more appropriate tbb-dev]
Mike Perry:
> > I still can't do NTLM authentication, despite
> > `network.negotiate-auth.allow-insecure-ntlm-v1-https` being set to
> > `true`. That's a bit annoying.
>
> Are there actually public sites that use NTLM? I thought NTLM was mostly
> an enterprise LAN thing, which we were unlikely to encounter via Tor and
> the public Internet. Is this something you have noticed, or is this
> becoming a common support question?
It's used by SharePoint and IIS intranets. One being one I need to
invoice the Tor Project. :D I could keep a copy of Tor Browser 3.6.4
around just for that, but I'd rather see the issue fixed.
I fear this is not going to be a common support question, but it might
bite other people, eventually. See:
https://bugzilla.mozilla.org/show_bug.cgi?id=828183#c46
> We disabled it because the NTLM protocol can leak username, hostname,
> perform non-Tor DNS lookups, etc. It's also very hard to control all of
> this, because many auth mechanisms are implemented by the underlying OS
> and not by Firefox, and if you lump in SPNEGO, there's a ton of crazy
> shit that can happen.
*sigh* At least NTLMv1 is implemented by Firefox on OS X and Linux, from
what I understood in the previously mentioned bug report. From
<http://www.janbambas.cz/ntlm-v1-and-firefox/>, I understand that
setting `network.auth.force-generic-ntlm` would make it the case on
Windows as well.
--
Lunar <lunar at torproject.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20141002/b701983f/attachment.sig>
More information about the tbb-dev
mailing list