On 08/08/2017 09:18 AM, Christos Tsantilas wrote:
> Στις 05/08/2017 09:52 πμ, ο Amos Jeffries έγραψε:
>> With the proposed changes all an attacker needs to do is peek at the
>> KK token from the client then race it to be the first one to deliver
>> any token to the originating helper (which can succeed at or after
>> reuse timeout)
> If I am not wrong this is prevented by ntlm/UserRequest.cc code.
FWIW, I was hoping that would be the case. If it were not the case, I
would suggest that Squid polices initial tokens to prevent such attacks.
Glad that defense is already implemented.
Amos, if you agree with Christos, please either withdraw your objection
or come up with another attack.
squid-dev mailing list