On Tuesday, March 23, 2004 21:49:48 -0500 Wyllys Ingersoll <[EMAIL PROTECTED]> wrote:
The "negotiateauth" extension in Mozilla 1.7b uses GSSAPI for authentication in the same manner that Microsoft IE and IIS use it. By default, Mozilla 1.7b will *NOT* respond to server requests for "Negotiate" authentication unless the URL is "https://";. However, This can be overridden by modifying a couple of configuration options:
Careful here...
The "negotiate" method authenticates the client but does not provide confidentiality or integrity protection for the transferred data. Even when TLS is used, the authentication context is not bound to the channel in any way. Thus, unless you use TLS _and_ verify the server's certificate, an attacker can easily hijack your "authenticated" connection.
-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]> Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
