> Betreff: RE: Proxy authentication with Negotiate uses wrong host > On Wed, 2011-08-24 at 05:52 -0400, Bert Huijben wrote: > > Then somebody added Kerberos support to neon, but the api wasn't > > updated to allow different behavior for the specific implementations. > > Kerberos via HTTP negotiate is also insecure when not used over HTTPS. > In HTTP negotiate, the GSSAPI mechanism (Kerberos) isn't used to protect > the data stream, only to authenticate. So you still need a secure > channel. > > (Also, negotiate auth does no channel binding, which means Kerberos > provides no additional protection against MITM attacks on the TLS > channel. That just means it's still important for the client to verify > the server cert. I've heard that Microsoft has some extensions to RFC > 4559 to do channel binding, but I don't know any details and Neon almost > certainly doesn't have any support for it.)
Greg, Are you refering to sole Kerberos or are you just concerned about transport encryption? Your statement somewhat irritates me. Given that the HTTP traffic cannot be securely wrapped into the GSS content and nor the SASL QOP can be set (like for LDAP), I would neglect that and still say TLS is not of your concern but of mine or the users in general. Correct me if I am wrong. Mike -- NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie! Jetzt informieren: http://www.gmx.net/de/go/freephone
