RE: Basic auth by default
would be nice to have the NTLM support with proxies too just trying to vote for this feature request ;-) thanx Merten -Original Message- From: Hrvoje Niksic [mailto:[EMAIL PROTECTED] Sent: Thursday, June 28, 2007 12:11 PM To: wget@sunsite.dk Subject: Re: Basic auth by default Daniel Stenberg [EMAIL PROTECTED] writes: I'm pretty sure the original NTLM code I contributed to wget _had_ the ability to deal with proxies (as I wrote the support for both host and proxy at the same time). It should be fairly easy to bring back. It's easy to bring back the code itself, but it's not easy to integrate it with how Wget communicates with proxies, at least not without reworking a large chunk of HTTP code. That is why I started with support for simple client NTLM and postponed proxies for later.
Re: Basic auth by default
On Thu, 28 Jun 2007, Hrvoje Niksic wrote: It's easy to bring back the code itself, but it's not easy to integrate it with how Wget communicates with proxies, at least not without reworking a large chunk of HTTP code. That is why I started with support for simple client NTLM and postponed proxies for later. Right, thanks for setting that straight.
Re: Basic auth by default
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Micah Cowan wrote: Mauro Tortonesi wrote: On Tue, 26 Jun 2007 13:33:35 -0700 Micah Cowan [EMAIL PROTECTED] wrote: i am not so sure this is a critical point. as hrvoje pointed out, basic authentication is definitely the most used authentication mechanism on the web, so changing the current policy to perform digest authentication first and use basic authentication as a failover might result in a perfomance penalty. It will absolutely result in a (small: one per host?) performance penalty. To be clearer: if the authentication mechanism ends up being Basic, it could probably be one-per-host. Obviously, if the server requests Digest, it will be per-request. - -- Micah J. Cowan Programmer, musician, typesetting enthusiast, gamer... http://micah.cowan.name/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGgqIA7M8hyUobTrERCMshAJ0bWbK66JW6FluB1hdehbDetcQ1vgCfe00w fgX8E/Wc+zMFCtcJrHk54Fc= =FXxw -END PGP SIGNATURE-
RE: Basic auth by default
Micah Cowan wrote: However, performance at the cost of security is not a trade-off I am willing to make. Regardless of whether digest is widely used or not, any security-minded user who happens to discover the way we do things will be very upset with us, and justifiably so. This situation is really inexcusable. I agree. I discovered this when trying to use wget with an HTTP proxy that uses NTLM. (Is that on the list somewhere?) I was dismayed to see that wget was volunteering my credentials before even knowing what authentication scheme to use. There's not much point in using a challenge-response authentication scheme if the client is just going to send the credentials in cleartext anyway. Rodney CONFIDENTIALITY NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email reply.
RE: Basic auth by default
On Wed, 27 Jun 2007, Barnett, Rodney wrote: I agree. I discovered this when trying to use wget with an HTTP proxy that uses NTLM. (Is that on the list somewhere?) I'm pretty sure the original NTLM code I contributed to wget _had_ the ability to deal with proxies (as I wrote the support for both host and proxy at the same time). It should be fairly easy to bring back.
