On Wed, Feb 22, 2017 at 09:04:14PM +0000, David Turner wrote: > > -----Original Message----- > > From: Junio C Hamano [mailto:jch2355@gmail.com] On Behalf Of Junio C > > Hamano > > Sent: Wednesday, February 22, 2017 3:20 PM > > To: David Turner > > Cc: git@vger.kernel.org; sandals@crustytoothpaste.net; Johannes Schindelin > > ; Eric Sunshine > > ; Jeff King > > Subject: Re: [PATCH] http(s): automatically try NTLM authentication first > > > > > > Some other possible worries we may have had I can think of are: > > > > - With this enabled unconditionally, would we leak some information? > > I think "NTLM" is actually a misnomer here (I just copied Johannes's > commit message). The mechanism is actually SPNEGO, if I understand this > correctly. It seems to me that this is probably secure, since it is apparently > widely implemented in browsers. This is SPNEGO. It will work with NTLM as well as Kerberos. Browsers usually disable this feature by default, as it basically will attempt to authenticate to any site that sends a 401. For Kerberos against a malicious site, the user will either not have a valid ticket for that domain, or the user's Kerberos server will refuse to provide a ticket to pass to the server, so there's no security risk involved. I'm unclear how SPNEGO works with NTLM, so I can't speak for the security of it. From what I understand of NTLM and from RFC 4559, it consists of a shared secret. I'm unsure what security measures are in place to not send that to an untrusted server. As far as Kerberos, this is a desirable feature to have enabled, with little downside. I just don't know about the security of the NTLM part, and I don't think we should take this patch unless we're sure we know the consequences of it. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: https://keybase.io/bk2204