|
WebApp Sec
mailing list archives
Re: NTLM and man-in-the-middle proxies not working
From: "Amit Klein (AKsecurity)" <aksecurity () hotpop com>
Date: Wed, 21 Sep 2005 00:48:11 +0200
On 20 Sep 2005 at 13:45, Michael Eddington wrote:
That isn't 100% true. Because NTLM authenticates a TCP connection,
not a web request, a proxy must specifically support NTLM
authentication proxying or bad-things might happen. To show IE that
this is supported the proxy must set the following header if
WWW-Authenticate header exists:
Proxy-Support: Session-Based-Authentication
this isn't well documented which is why most MITM proxies didn't
support NTLM for a long-ass time.
You're right. This header does take care of things - if IE sees this header, it does
proceed with NTLM authentication. But the few proxy servers I played with simply don't use
this header (as you mentioned above). Anyway - I should have mentioned this point in my
earlier submissions, thanks for the correction.
Of course, this only pertains to forward proxies. Reverse/transparent proxies will not be
visible to IE, and so it will happily engage in NTLM authentication, with interesting
consequences.
As for "well documented" - the whole NTLM authentication scheme has no official
documentation (AFAIK), so it's no surpirse this header isn't widely known.
 By Date 
By Thread
Current thread:
- Re: NTLM and man-in-the-middle proxies not working, (continued)
RE: NTLM and man-in-the-middle proxies not working raymond_b_jimenez (Sep 20)
Re: NTLM and man-in-the-middle proxies not working raymond_b_jimenez (Sep 26)
|
Intro
