httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francois Beauregard <FB...@fbli.com>
Subject Re: NTLM in Apache
Date Sat, 23 Aug 1997 02:34:15 GMT
At 18:45 97-08-22 -0700, you wrote:
>> 
>> You're suggesting that Basic Authentication is better?
>
>	No, I'm not, but NTLM is a false sense of security. Basic auth
>is clearly no security.
>

I remember a university site that broke all "Windows based" browser by
simply putting a link on an image that looked like...

<http://\\207.16.235.12\image.gif>

The client seeying it would say "Hey, that's a Lan Manager over there...
let's authenticate with it !!!"

They also designed a very little "PAM" module for NT that was asking for
username and password with an encryption seed of "0"... or if you prefer,
"Send it in clear sam"... The result... on the next page, your user name
and password would show up like if you had typed them in...

And you call that security ;-)


Sincerely

----------------------------------
Francois Beauregard
FBorg@fbli.com
FBLI.COM
We love feedbacks and live by them

Sales        : Sales@fbli.com		1 (888) FBLI.COM
Tech support : Support@fbli.com		1 (514) 349-0455
Internet Web : http://www.fbli.com
ICQ          : 1907537

Montreal, Canada
----------------------------------

Mime
View raw message