WebApp Sec mailing list archives
RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein
From: "Cyrill Osterwalder" <cyrill.osterwalder () seclutions com>
Date: Wed, 10 Aug 2005 08:49:48 +0200
Hi Amit
I think I understand. So you say that NTLM connections are, in essence, not pooled. Which is good for security, but less good for performance. In other words, an NTLM intensive site (think Microsoft Outlook Web Access) will not enjoy the performance benefit of connection pooling. Or did I get it wrong?
You got it slightly wrong. Pooling is indeed possible for NTLM enabled back-end applications like OWA once the authentication procedure itself is finished. After the authentication process the proxy handles and dispatches the correct authentication headers based on the session's credentials in the proxy, also for pooled connections. But I believe the discussion gets too product (AirLock) oriented at this point and does not cover general NTLM security issues anymore. If you are interested in the details I'm happy to continue the discussion off the list. Best regards Cyrill Osterwalder Chief Technology Officer Seclutions AG http://www.seclutions.com
Current thread:
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein, (continued)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Cyrill Osterwalder (Jul 19)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Amit Klein (AKsecurity) (Jul 19)
- Re: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Andrew van der Stock (Jul 19)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Cyrill Osterwalder (Jul 20)
- Re: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Andrew van der Stock (Jul 21)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Cyrill Osterwalder (Jul 20)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Amit Klein (AKsecurity) (Jul 21)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Cyrill Osterwalder (Aug 09)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Amit Klein (AKsecurity) (Aug 09)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Cyrill Osterwalder (Aug 09)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Cyrill Osterwalder (Aug 10)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Cyrill Osterwalder (Jul 19)