[tbb-dev] NTLM authentication (was: [tor-qa] Testing ESR 31 based Nightlies)

Lunar lunar at torproject.org
Wed Oct 1 23:14:54 UTC 2014

[switching list to the more appropriate tbb-dev]

Mike Perry:
> > I still can't do NTLM authentication, despite
> > `network.negotiate-auth.allow-insecure-ntlm-v1-https` being set to
> > `true`. That's a bit annoying.
> Are there actually public sites that use NTLM? I thought NTLM was mostly
> an enterprise LAN thing, which we were unlikely to encounter via Tor and
> the public Internet. Is this something you have noticed, or is this
> becoming a common support question?

It's used by SharePoint and IIS intranets. One being one I need to
invoice the Tor Project. :D I could keep a copy of Tor Browser 3.6.4
around just for that, but I'd rather see the issue fixed.

I fear this is not going to be a common support question, but it might
bite other people, eventually. See:

> We disabled it because the NTLM protocol can leak username, hostname,
> perform non-Tor DNS lookups, etc. It's also very hard to control all of
> this, because many auth mechanisms are implemented by the underlying OS
> and not by Firefox, and if you lump in SPNEGO, there's a ton of crazy
> shit that can happen.

*sigh* At least NTLMv1 is implemented by Firefox on OS X and Linux, from
what I understood in the previously mentioned bug report. From
<http://www.janbambas.cz/ntlm-v1-and-firefox/>, I understand that
setting `network.auth.force-generic-ntlm` would make it the case on
Windows as well.

Lunar                                             <lunar at torproject.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20141002/b701983f/attachment.sig>

More information about the tbb-dev mailing list