Kerberos and HTTP / HTTPS - Could Kerberos tickets be intercepted and misused?

Osipov, Michael michael.osipov at siemens.com
Tue Aug 23 09:13:17 EDT 2016


> And not just for the server, on the user side too as a lot of client
> applications do not even check if the reply from the server is genuine
> (completing the context establishment phase for mutual authentication)
> and just accept the 200 OK code as it comes

This is actually the most important point as Simo points out. As for client
libs: libcurl does not but libserf does fully establish the context.

Michael



More information about the Kerberos mailing list