Apache modules compatible with kerberos in 1.7b
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Tue Mar 23 22:16:52 EST 2004
Jeffrey Hutzelman wrote:
>
>
> On Tuesday, March 23, 2004 21:49:48 -0500 Wyllys Ingersoll
> <wyllys.ingersoll at sun.com> wrote:
>
>> The "negotiateauth" extension in Mozilla 1.7b uses GSSAPI
>> for authentication in the same manner that Microsoft IE and IIS
>> use it. By default, Mozilla 1.7b will *NOT*
>> respond to server requests for "Negotiate" authentication
>> unless the URL is "https://". However, This can be overridden
>> by modifying a couple of configuration options:
>
>
> Careful here...
>
> The "negotiate" method authenticates the client but does not provide
> confidentiality or integrity protection for the transferred data. Even
> when TLS is used, the authentication context is not bound to the channel
> in any way. Thus, unless you use TLS _and_ verify the server's
> certificate, an attacker can easily hijack your "authenticated" connection.
Correct, this is purely an authentication protocol, GSSAPI (or Kerberos)
is not used in any way to encrypt or protect the rest of the HTTP
data exchanged between the browser and the server.
-Wyllys
More information about the Kerberos
mailing list