Kerberos and HTTP / HTTPS - Could Kerberos tickets be intercepted and misused?

[Osipov, Michael]

> And not just for the server, on the user side too as a lot of client
> applications do not even check if the reply from the server is genuine
> (completing the context establishment phase for mutual authentication)
> and just accept the 200 OK code as it comes

This is actually the most important point as Simo points out. As for client
libs: libcurl does not but libserf does fully establish the context.

Michael