On 08/24/2016 10:43 AM, Alexander Bokovoy wrote:
On Wed, 24 Aug 2016, Robert Marcano wrote:
...
I wonder if the default setting for
network.negotiate-auth.trusted-uris=https:// is or isn't a leak.
No, it is not, at least not to the remote server you are trying to
visit.
Kerberos flow is always a such that you never send authentication
request to the remote server if you cannot obtain a service ticket to
HTTP/<remote server>@YOUR.REALM from your realm's KDC. If your realm's
KDC doesn't know about <remote server> (doesn't have Kerberos principal
HTTP/<remote server>@YOUR.REALM or doesn't have Kerberos trust to the
realm of <remote server>), no service ticket would be issued to you and
you wouldn't be able to negotiate with remote server. As result, Firefox
wouldn't even try to send a request to the remote server.
Your KDC will get a request to issue service ticket so technically it
will be able to see host name of the remote server associated with your
principal. This is a problem for private browsing mode and we proposed
Firefox team to fix this information leak.
Thanks for the clarification, the leak in private mode was to the
internal KDC not the internet.
Use of https:// in network.negotiate-auth.trusted-uris in Fedora allows
us to have zero configuration setup for Fedora desktop. As soon as your
desktop is enrolled into an environment that supports Kerberos, Firefox
will be able to negotiate GSSAPI with your corporate servers without any
additional configuration changes. The same happens with GNOME Epiphany
browser, KDE Konqueror browser, and, I believe, with Safari on Mac OS X.
We also wanted to improve UX of Firefox in this area by proposing a flow
similar to acceptance of geotagging requests, where Firefox would ask
you to add a server or domain to the list of trusted-uris first time we
encounter GSSAPI negotiation. This is still open; Firefox UX changes
require more involvement and discussions to go on. Use of https:// is a
good compromise for default configuration, though.
--
devel mailing list
devel@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
