tbb-dev

tbb-dev@lists.torproject.org

October 2014

9 participants
11 discussions

NTLM authentication (was: [tor-qa] Testing ESR 31 based Nightlies)
by Lunar 01 Oct '14

01 Oct '14

[switching list to the more appropriate tbb-dev] Mike Perry: > > I still can't do NTLM authentication, despite > > `network.negotiate-auth.allow-insecure-ntlm-v1-https` being set to > > `true`. That's a bit annoying. > > Are there actually public sites that use NTLM? I thought NTLM was mostly > an enterprise LAN thing, which we were unlikely to encounter via Tor and > the public Internet. Is this something you have noticed, or is this > becoming a common support question? It's used by SharePoint and IIS intranets. One being one I need to invoice the Tor Project. :D I could keep a copy of Tor Browser 3.6.4 around just for that, but I'd rather see the issue fixed. I fear this is not going to be a common support question, but it might bite other people, eventually. See: https://bugzilla.mozilla.org/show_bug.cgi?id=828183#c46 > We disabled it because the NTLM protocol can leak username, hostname, > perform non-Tor DNS lookups, etc. It's also very hard to control all of > this, because many auth mechanisms are implemented by the underlying OS > and not by Firefox, and if you lump in SPNEGO, there's a ton of crazy > shit that can happen. *sigh* At least NTLMv1 is implemented by Firefox on OS X and Linux, from what I understood in the previously mentioned bug report. From <http://www.janbambas.cz/ntlm-v1-and-firefox/>, I understand that setting `network.auth.force-generic-ntlm` would make it the case on Windows as well. -- Lunar <lunar(a)torproject.org>

1 0