Kerberos and HTTP / HTTPS - Could Kerberos tickets be intercepted and misused?
Osipov, Michael
michael.osipov at siemens.com
Tue Aug 23 09:13:17 EDT 2016
> And not just for the server, on the user side too as a lot of client
> applications do not even check if the reply from the server is genuine
> (completing the context establishment phase for mutual authentication)
> and just accept the 200 OK code as it comes
This is actually the most important point as Simo points out. As for client
libs: libcurl does not but libserf does fully establish the context.
Michael
More information about the Kerberos
mailing list