Re: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein

[Andrew van der Stock <vanderaj () greebo net>]

With respect,

> SSL should always be terminated in front of a Web server is  
> illustrated in
> our technology whitepaper already mentioned above:
> (http://www.seclutions.com/en/downloads/AirLock_Whitepaper.pdf).

Terminating SSL sessions before the web server assumes that no client- 
side certificates are in use. If you use client-side certificates  
(either soft certs or smart cards), terminating early means that the  
web app has to trust the front end termination device to provide the  
authentication details from the client.

Pretty much all solutions to this usually involve setting headers  
(like REMOTE_USER or iv-cred similar) and passing on the request. If  
the header or token is not present for unauthenticated requests, an  
attacker can spoof the (say) REMOTE_USER header successfully.

Andrew