[switching list to the more appropriate tbb-dev]
Mike Perry:
> > I still can't do NTLM authentication, despite
> > `network.negotiate-auth.allow-insecure-ntlm-v1-https` being set to
> > `true`. That's a bit annoying.
>
> Are there actually public sites that use NTLM? I thought NTLM was mostly
> an enterprise LAN thing, which we were unlikely to encounter via Tor and
> the public Internet. Is this something you have noticed, or is this
> becoming a common support question?
It's used by SharePoint and IIS intranets. One being one I need to
invoice the Tor Project. :D I could keep a copy of Tor Browser 3.6.4
around just for that, but I'd rather see the issue fixed.
I fear this is not going to be a common support question, but it might
bite other people, eventually. See:
https://bugzilla.mozilla.org/show_bug.cgi?id=828183#c46
> We disabled it because the NTLM protocol can leak username, hostname,
> perform non-Tor DNS lookups, etc. It's also very hard to control all of
> this, because many auth mechanisms are implemented by the underlying OS
> and not by Firefox, and if you lump in SPNEGO, there's a ton of crazy
> shit that can happen.
*sigh* At least NTLMv1 is implemented by Firefox on OS X and Linux, from
what I understood in the previously mentioned bug report. From
<http://www.janbambas.cz/ntlm-v1-and-firefox/>, I understand that
setting `network.auth.force-generic-ntlm` would make it the case on
Windows as well.
--
Lunar <lunar(a)torproject.org>
