[switching list to the more appropriate tbb-dev] Mike Perry:

...

I still can't do NTLM authentication, despite `network.negotiate-auth.allow-insecure-ntlm-v1-https` being set to `true`. That's a bit annoying.

Are there actually public sites that use NTLM? I thought NTLM was mostly an enterprise LAN thing, which we were unlikely to encounter via Tor and the public Internet. Is this something you have noticed, or is this becoming a common support question?

It's used by SharePoint and IIS intranets. One being one I need to invoice the Tor Project. :D I could keep a copy of Tor Browser 3.6.4 around just for that, but I'd rather see the issue fixed. I fear this is not going to be a common support question, but it might bite other people, eventually. See: https://bugzilla.mozilla.org/show_bug.cgi?id=828183#c46

We disabled it because the NTLM protocol can leak username, hostname, perform non-Tor DNS lookups, etc. It's also very hard to control all of this, because many auth mechanisms are implemented by the underlying OS and not by Firefox, and if you lump in SPNEGO, there's a ton of crazy shit that can happen.

*sigh* At least NTLMv1 is implemented by Firefox on OS X and Linux, from what I understood in the previously mentioned bug report. From <http://www.janbambas.cz/ntlm-v1-and-firefox/>, I understand that setting `network.auth.force-generic-ntlm` would make it the case on Windows as well. -- Lunar <lunar@torproject.org>