subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Hudson <ghud...@MIT.EDU>
Subject RE: Proxy authentication with Negotiate uses wrong host
Date Wed, 24 Aug 2011 11:28:37 GMT
On Wed, 2011-08-24 at 05:52 -0400, Bert Huijben wrote:
> Then somebody added Kerberos support to neon, but the api wasn't
> updated to allow different behavior for the specific implementations.

Kerberos via HTTP negotiate is also insecure when not used over HTTPS.
In HTTP negotiate, the GSSAPI mechanism (Kerberos) isn't used to protect
the data stream, only to authenticate.  So you still need a secure
channel.

(Also, negotiate auth does no channel binding, which means Kerberos
provides no additional protection against MITM attacks on the TLS
channel.  That just means it's still important for the client to verify
the server cert.  I've heard that Microsoft has some extensions to RFC
4559 to do channel binding, but I don't know any details and Neon almost
certainly doesn't have any support for it.)




Mime
View raw message