WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein

From: "Cyrill Osterwalder" <cyrill.osterwalder () seclutions com>
Date: Wed, 10 Aug 2005 08:49:48 +0200

Hi Amit
 

I think I understand. So you say that NTLM connections are, 
in essence, not pooled. Which 
is good for security, but less good for performance. In other 
words, an NTLM intensive site 
(think Microsoft Outlook Web Access) will not enjoy the 
performance benefit of connection 
pooling. Or did I get it wrong? 


You got it slightly wrong. Pooling is indeed possible for NTLM enabled
back-end applications like OWA once the authentication procedure itself is
finished. After the authentication process the proxy handles and dispatches
the correct authentication headers based on the session's credentials in the
proxy, also for pooled connections.

But I believe the discussion gets too product (AirLock) oriented at this
point and does not cover general NTLM security issues anymore. If you are
interested in the details I'm happy to continue the discussion off the list.

Best regards

Cyrill Osterwalder

Chief Technology Officer
Seclutions AG

http://www.seclutions.com
Previous By Date Next
Previous By Thread Next

Current thread: