From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: David Turner <David.Turner@twosigma.com>
Cc: 'Junio C Hamano' <gitster@pobox.com>,
"git@vger.kernel.org" <git@vger.kernel.org>,
Johannes Schindelin <johannes.schindelin@gmx.de>,
Eric Sunshine <sunshine@sunshineco.com>,
Jeff King <peff@peff.net>
Subject: Re: [PATCH] http(s): automatically try NTLM authentication first
Date: Wed, 22 Feb 2017 23:34:19 +0000 [thread overview]
Message-ID: <20170222233419.q3fxqmrscosumbjm@genre.crustytoothpaste.net> (raw)
In-Reply-To: <97ab9a812f7b46d7b10d4d06f73259d8@exmbdft7.ad.twosigma.com>
[-- Attachment #1: Type: text/plain, Size: 2075 bytes --]
On Wed, Feb 22, 2017 at 09:04:14PM +0000, David Turner wrote:
> > -----Original Message-----
> > From: Junio C Hamano [mailto:jch2355@gmail.com] On Behalf Of Junio C
> > Hamano
> > Sent: Wednesday, February 22, 2017 3:20 PM
> > To: David Turner <David.Turner@twosigma.com>
> > Cc: git@vger.kernel.org; sandals@crustytoothpaste.net; Johannes Schindelin
> > <johannes.schindelin@gmx.de>; Eric Sunshine
> > <sunshine@sunshineco.com>; Jeff King <peff@peff.net>
> > Subject: Re: [PATCH] http(s): automatically try NTLM authentication first
> >
> >
> > Some other possible worries we may have had I can think of are:
> >
> > - With this enabled unconditionally, would we leak some information?
>
> I think "NTLM" is actually a misnomer here (I just copied Johannes's
> commit message). The mechanism is actually SPNEGO, if I understand this
> correctly. It seems to me that this is probably secure, since it is apparently
> widely implemented in browsers.
This is SPNEGO. It will work with NTLM as well as Kerberos.
Browsers usually disable this feature by default, as it basically will
attempt to authenticate to any site that sends a 401. For Kerberos
against a malicious site, the user will either not have a valid ticket
for that domain, or the user's Kerberos server will refuse to provide a
ticket to pass to the server, so there's no security risk involved.
I'm unclear how SPNEGO works with NTLM, so I can't speak for the
security of it. From what I understand of NTLM and from RFC 4559, it
consists of a shared secret. I'm unsure what security measures are in
place to not send that to an untrusted server.
As far as Kerberos, this is a desirable feature to have enabled, with
little downside. I just don't know about the security of the NTLM part,
and I don't think we should take this patch unless we're sure we know
the consequences of it.
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: https://keybase.io/bk2204
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 868 bytes --]
next prev parent reply other threads:[~2017-02-22 23:35 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-22 17:39 [PATCH] http(s): automatically try NTLM authentication first David Turner
2017-02-22 20:19 ` Junio C Hamano
2017-02-22 21:04 ` David Turner
2017-02-22 21:16 ` Junio C Hamano
2017-02-22 21:34 ` Jeff King
2017-02-23 17:08 ` Johannes Schindelin
2017-02-23 19:06 ` Junio C Hamano
2017-02-23 19:42 ` Jeff King
2017-02-23 20:37 ` Junio C Hamano
2017-02-23 20:48 ` Jeff King
2017-02-25 11:51 ` Johannes Schindelin
2017-02-22 23:34 ` brian m. carlson [this message]
2017-02-22 23:42 ` Jeff King
2017-02-23 2:15 ` Junio C Hamano
2017-02-23 19:11 ` Junio C Hamano
2017-02-23 19:35 ` Jeff King
2017-02-23 1:03 ` David Turner
2017-02-23 4:19 ` brian m. carlson
2017-02-23 9:13 ` Mantas Mikulėnas
2017-02-22 21:06 ` Jeff King
2017-02-22 21:25 ` Junio C Hamano
2017-02-22 21:35 ` Jeff King
2017-02-22 21:57 ` Junio C Hamano
2017-02-22 21:58 ` Jeff King
2017-02-22 22:35 ` Junio C Hamano
2017-02-22 23:33 ` Jeff King
2017-02-22 23:34 ` [PATCH 1/2] http: restrict auth methods to what the server advertises Jeff King
2017-02-22 23:40 ` [PATCH 2/2] http: add an "auto" mode for http.emptyauth Jeff King
2017-02-23 1:16 ` David Turner
2017-02-23 1:37 ` Jeff King
2017-02-23 16:31 ` David Turner
2017-02-23 19:44 ` Jeff King
2017-02-23 20:05 ` David Turner
2017-02-25 11:48 ` Johannes Schindelin
2017-02-25 19:15 ` Jeff King
2017-02-25 19:18 ` [PATCH] " Jeff King
2017-02-27 18:35 ` Junio C Hamano
2017-02-28 10:18 ` Johannes Schindelin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170222233419.q3fxqmrscosumbjm@genre.crustytoothpaste.net \
--to=sandals@crustytoothpaste.net \
--cc=David.Turner@twosigma.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=johannes.schindelin@gmx.de \
--cc=peff@peff.net \
--cc=sunshine@sunshineco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).