Jeffrey Hutzelman wrote:
On Tuesday, March 23, 2004 21:49:48 -0500 Wyllys Ingersoll
<[EMAIL PROTECTED]> wrote:
The "negotiateauth" extension in Mozilla 1.7b uses GSSAPI
for authentication in the same manner that Microsoft IE and IIS
use it. By default, Mozilla 1.7b will *NOT*
respond to server requests for "Negotiate" authentication
unless the URL is "https://";. However, This can be overridden
by modifying a couple of configuration options:
Careful here...
The "negotiate" method authenticates the client but does not provide
confidentiality or integrity protection for the transferred data. Even
when TLS is used, the authentication context is not bound to the channel
in any way. Thus, unless you use TLS _and_ verify the server's
certificate, an attacker can easily hijack your "authenticated" connection.
Correct, this is purely an authentication protocol, GSSAPI (or Kerberos)
is not used in any way to encrypt or protect the rest of the HTTP
data exchanged between the browser and the server.
-Wyllys
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
