Kerberos and HTTP / HTTPS - Could Kerberos tickets be intercepted and misused?

Michael B Allen ioplex at gmail.com
Wed Aug 24 01:51:38 EDT 2016


On Tue, Aug 23, 2016 at 10:24 AM, Rick van Rein <rick at openfortress.nl> wrote:
> HTTP/Negotiate is indeed so sad that we've been working on an
> alternative, that is to integrate Kerberos + Diffie-Hellman into TLS.
> Then, once you get TLS going for your HTTPS, you would have established
> mutual trust and perfect forward secrecy.

Hi Rick,

Using the Kerberos ticket as the certificate on which to build TLS
without using a CA and all of the work that goes with it seems much
cleaner. I'm glad to see people working on this.

But it would be even better if the client could (or had the option to)
do authentication with the service directly and thus eliminate the
numerous dependencies for clients (DNS, KDC access, stale tickets,
time sync...). I'm not sure if that is possible with HTTP being
stateless, but if is, it could be the basis for proper Internet
website security as well.

Mike

-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/


More information about the Kerberos mailing list