[tor-bugs] #12975 [Tor Browser]: Ensure NTLMv2 is still disabled (was: Keep an eye on NTLMv2. Possibly disable it.)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jul 23 03:30:15 UTC 2015
#12975: Ensure NTLMv2 is still disabled
-------------------------+-------------------------------------------------
Reporter: | Owner: mikeperry
mikeperry | Status: closed
Type: task | Milestone:
Priority: major | Version:
Component: Tor | Keywords: ff38-esr, TorBrowserTeam201507,
Browser | tbb-5.0a4, MikePerry201507
Resolution: fixed | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Changes (by mikeperry):
* status: assigned => closed
* resolution: => fixed
Comment:
It appears as though our patch continues to disable NTLMv2 auth. The
commit for the bug in question only adds packet parsing and construction
for NTLMv2, and our patch disables it before we even get to that point.
https://hg.mozilla.org/mozilla-central/rev/f09bfc814171
Related, the patch to prevent info disclosures still has not landed:
https://bugzilla.mozilla.org/show_bug.cgi?id=1046421.
My recommendation is that we should always leave NTLM off. I am deeply
worried about stuff like #11055 and Windows-specific leaks biting us.
Closing this.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12975#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list