WebApp Sec mailing list archives
Re: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein
From: Andrew van der Stock <vanderaj () greebo net>
Date: Fri, 22 Jul 2005 13:32:22 +1000
Actually, there is a need to couple them - for non-repudiation and traceability reasons.
Preservation of the user's identity and being able to interrogate (say the user principle object) is a key control to make sure that the request is authorized to perform a transaction and the associated audit trail are trustworthy ("believable"), a key SOX requirement.
If there is implicit trust of a device but multiple pathways to use the app servers (typical of internal / external SSO junction points serviced by one SSO device), it may be possible to spoof a transaction as someone else if the SSL terminating SSO device does not pass on the credentials in a trustworthy method to code performing the transactions on behalf of the user.
Many SSO solutions suffer from this issue, and it's basically a confusion between coarse grained authentication which SSO solutions usually do pretty well, and fine grained authorization and end-to-end traceability which suffers when authentication details are hidden from the business logic.
thanks, Andrew On 20/07/2005, at 7:09 PM, Cyrill Osterwalder wrote:
There's no need to couple it directly with the back-end Web/Application servers
Current thread:
- NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Amit Klein (AKsecurity) (Jul 18)
- <Possible follow-ups>
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Cyrill Osterwalder (Jul 19)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Amit Klein (AKsecurity) (Jul 19)
- Re: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Andrew van der Stock (Jul 19)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Cyrill Osterwalder (Jul 20)
- Re: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Andrew van der Stock (Jul 21)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Cyrill Osterwalder (Jul 20)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Amit Klein (AKsecurity) (Jul 21)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Cyrill Osterwalder (Aug 09)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Amit Klein (AKsecurity) (Aug 09)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Cyrill Osterwalder (Aug 09)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Cyrill Osterwalder (Aug 10)