Re: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein

[Andrew van der Stock <vanderaj () greebo net>]

Actually, there is a need to couple them - for non-repudiation and  
traceability reasons.

Preservation of the user's identity and being able to interrogate  
(say the user principle object) is a key control to make sure that  
the request is authorized to perform a transaction and the associated  
audit trail are trustworthy ("believable"), a key SOX requirement.

If there is implicit trust of a device but multiple pathways to use  
the app servers (typical of internal / external SSO junction points  
serviced by one SSO device), it may be possible to spoof a  
transaction as someone else if the SSL terminating SSO device does  
not pass on the credentials in a trustworthy method to code  
performing the transactions on behalf of the user.

Many SSO solutions suffer from this issue, and it's basically a  
confusion between coarse grained authentication which SSO solutions  
usually do pretty well, and fine grained authorization and end-to-end  
traceability which suffers when authentication details are hidden  
from the business logic.

thanks,
Andrew

On 20/07/2005, at 7:09 PM, Cyrill Osterwalder wrote:

> There's no need to couple it directly with the
> back-end Web/Application servers