|
Posted by Gordon Burditt on 11/09/07 03:04
>>>> What arguments does such a NTLM request require?
>>> to make it simple:
>>> serwer tells the browser: you need to authenticate using NTLM , valid
>>> user is required. then browser sends the server id of a user.
>>
>> What *browsers* do that?
>
>MSIE based. it is an Microsoft thing anyway. an active x applet would
>work in MSIE too, i guess
>
>> If the user is asked to enter a valid
>> user name, it rather defeats the purpose of not having to log in
>> for the web page after you've already logged in on the workstation.
>
>well , we are still taking about corporate solutions, right ?
>
>>
>> And since anything that comes from a browser is easily faked, it
>> seems to make pretending to be someone else fairly easy.
> >
>
>I have a funny feeling ...
>
>>> the one who owns the task running web browser. the one that
>>> started web browser, of course
>>
>> Unless, of course, the web browser LIES.
>>
>
>... that you just don't have an idea what this NTLM thing is, do you?
Does the fact that I asked what arguments a NTLM request needs give
it away? You're right, I don't know much about it, but I have a
feeling that the people answering my questions know less about it.
A browser can't be trusted for anything involving HTTP server
security. In particular, a browser can be replaced with telnet
operated manually by someone wanting to break in to your system,
say, to find out who's on the promotion list or to get some juicy
blackmail to use against the boss. I'm sure Microsoft is not so
lame as to design an authentication system that has such a gaping
hole in it.
I have a feeling that either (a) the browser supplies a user ID and
password, which the HTTP server checks with the domain controller,
in which case the user has to log in on the web page in addition
to logging in to the local account, or (b) Windows provides some
other mechanism for the HTTP server to identify the user making the
request that doesn't involve trusting the browser.
[Back to original message]
|