Regardless weather we use Basic or NTLM authentication, the backend is going to be the Domain password database. So, the idea is that even simple encryption is better than none. I know that this is bad security-wise, but it is much easier for users. I am aware of Self-Signed certs, and have talked with some people about implementing them, but the time it takes to set up the server and all of the clients is something ITS does not currently deem time-efficient. However, this may change in the future.
Caleb Jorden ITS Student Worker [EMAIL PROTECTED] [EMAIL PROTECTED] On Mon, 2003-08-04 at 20:13, Steve Calloway wrote: > That arouses my curiousity. Because Mozilla NTLM authentication only works on > Windows clients, I suspect that the authentication between client and server > would be "good old-fashioned" NTLM and therefore vulnerable to l0phtcrack. > > I'd venture to say that using NTLM might actually be worse than basic > authentication. True, the application would be more vulnerable to the basic > authentication. But if the NTLM is captured from l0phtcrack, the user will > give away a possibly more secure (Windows 2000/XP kerberos or NTLMv2) Windows > password. That could expose an otherwise strong Windows password used for > other applications. > > For example, and this might not apply to the Truman systems, but suppose the > system is setup for NTLM. The payroll clerk updates her personal info. > Windows sends her password in weak NTLM. 'Cracker' captures her Windows > password thereby gaining access to her Windows account. Using NTLM therefore > exposes "everything" (like payroll records) whereas compare this to basic > authentication. With basic authentication, she keeps a separate (and not very > serious) username/password combo. If someone sniffs that off the network, > well they vandalize some personal info...big deal. At least they're not > logging into her Windows account to change your direct deposit. > > Of course, with SSL they get nothing. Also the whole point is moot if you have > a switched network, MAC registration and are able to prevent ARP redirection. > > Does someone have a "lab" to test l0phtcrack on the NTLM web transmission? I'm > playing with OpenBSD and noticed that l0phtcrack is in the ports system. I > could test this on my home network, but unfortunately (? that doesn't sound > right ?) I don't have an IIS server to authenticate to. Also if I recall > correctly, l0phtcrack needs a lot of transmissions to crack "from the wire." > Versus cracking a password file with l0phtcrack is trivial. > > Sorry for rambling on. I recommend SSL; it's cross platform, it's standard, > it's secure. > > > On Monday 04 August 2003 18:37, you wrote: > > > > I can't tell by reading about NTLM web authentication, but if it > > is comparable to regular NTLM (and vulnerable to l0phtcrack for > > almost everyone) then basic authentication on the Truman network > > could be reasonable--that is, not really worse than NTLM. Of > > course the proxy server complicates this by making remote people > > local. > > > > Don > > > ----------------------------------------------------------------- > To get off this list, send email to [EMAIL PROTECTED] > with Subject: unsubscribe > ----------------------------------------------------------------- > ----------------------------------------------------------------- To get off this list, send email to [EMAIL PROTECTED] with Subject: unsubscribe -----------------------------------------------------------------
