WebApp Sec mailing list archives
RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein
From: "Cyrill Osterwalder" <cyrill.osterwalder () seclutions com>
Date: Tue, 9 Aug 2005 08:53:03 +0200
Andrew,
Actually, there is a need to couple them - for non-repudiation and traceability reasons.
There is indeed a need to couple the trust association with the back-end servers. And I agree with you, that a trustworthy method must be used to provision credentials or user identity assertions to back-end systems. But that does not necessarily mean that the SSL handshake including the client certificate verification has to be coupled with the back-end servers. Which I think is a bad idea for larger deployment architectures. It makes filtering and other security enforcement procedures very difficult, increases the risk for the back-end server to be compromised and it is not well scalable. In my opinion, a well implemented ASG or WAF should be capable of offloading the client certificate authentication and provision the data in a trustworthy way to back-end systems if the ASG/WAF system is supposed to offload centralized authentication enforcement. Best regards Cyrill Osterwalder Chief Technology Officer Seclutions AG http://www.seclutions.com
Current thread:
- NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Amit Klein (AKsecurity) (Jul 18)
- <Possible follow-ups>
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Cyrill Osterwalder (Jul 19)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Amit Klein (AKsecurity) (Jul 19)
- Re: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Andrew van der Stock (Jul 19)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Cyrill Osterwalder (Jul 20)
- Re: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Andrew van der Stock (Jul 21)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Cyrill Osterwalder (Jul 20)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Amit Klein (AKsecurity) (Jul 21)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Cyrill Osterwalder (Aug 09)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Amit Klein (AKsecurity) (Aug 09)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Cyrill Osterwalder (Aug 09)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Cyrill Osterwalder (Aug 10)