That arouses my curiousity. Because Mozilla NTLM authentication only works on Windows clients, I suspect that the authentication between client and server would be "good old-fashioned" NTLM and therefore vulnerable to l0phtcrack.
I'd venture to say that using NTLM might actually be worse than basic authentication. True, the application would be more vulnerable to the basic authentication. But if the NTLM is captured from l0phtcrack, the user will give away a possibly more secure (Windows 2000/XP kerberos or NTLMv2) Windows password. That could expose an otherwise strong Windows password used for other applications. For example, and this might not apply to the Truman systems, but suppose the system is setup for NTLM. The payroll clerk updates her personal info. Windows sends her password in weak NTLM. 'Cracker' captures her Windows password thereby gaining access to her Windows account. Using NTLM therefore exposes "everything" (like payroll records) whereas compare this to basic authentication. With basic authentication, she keeps a separate (and not very serious) username/password combo. If someone sniffs that off the network, well they vandalize some personal info...big deal. At least they're not logging into her Windows account to change your direct deposit. Of course, with SSL they get nothing. Also the whole point is moot if you have a switched network, MAC registration and are able to prevent ARP redirection. Does someone have a "lab" to test l0phtcrack on the NTLM web transmission? I'm playing with OpenBSD and noticed that l0phtcrack is in the ports system. I could test this on my home network, but unfortunately (? that doesn't sound right ?) I don't have an IIS server to authenticate to. Also if I recall correctly, l0phtcrack needs a lot of transmissions to crack "from the wire." Versus cracking a password file with l0phtcrack is trivial. Sorry for rambling on. I recommend SSL; it's cross platform, it's standard, it's secure. On Monday 04 August 2003 18:37, you wrote: > > I can't tell by reading about NTLM web authentication, but if it > is comparable to regular NTLM (and vulnerable to l0phtcrack for > almost everyone) then basic authentication on the Truman network > could be reasonable--that is, not really worse than NTLM. Of > course the proxy server complicates this by making remote people > local. > > Don ----------------------------------------------------------------- To get off this list, send email to [EMAIL PROTECTED] with Subject: unsubscribe -----------------------------------------------------------------
