[Samba] NTLM
Michael Wood
esiotrot at gmail.com
Sat Oct 3 17:01:42 MDT 2009
Hi
2009/10/3 Eustáquio Rangel <eustaquiorangel at gmail.com>:
> Hey there!
>
> Can you guys tell me about what's the status of docs of NTLM/NTLMv2
> provided by Microsoft?
>
> Let me explain why I need that: we had here a discussion on a local
> college about "free x proprietary software", and the Microsoft guy
> (always them, right?) told us about a case where he claimed that
> Firefox sent one user username and password through the network
> without encription.
>
> On the next day I asked the Microsoft guy for some reference about the
> case he talked about. He sent me this URL:
>
> http://blogs.technet.com/dbordini/archive/2008/09/03/browser-navega-o-e-seguran-a-estudo-de-caso.aspx
>
> I translated it with Google and seems that make some sense:
>
> http://translate.google.com.br/translate?u=http%3A%2F%2Fblogs.technet.com%2Fdbordini%2Farchive%2F2008%2F09%2F03%2Fbrowser-navega-o-e-seguran-a-estudo-de-caso.aspx&sl=pt&tl=en&hl=pt-BR&ie=UTF-8
I am no expert in NTLM vs. NTLMv2, but NTLM does NOT mean clear-text
username and password. The passwords are still hashed (not sure about
the username). My understanding is that it is not as secure as
NTLMv2, but is still much better than LM and much better still than
clear-text.
So it seems either there was a misunderstanding between you and the
Microsoft guy, or he misunderstood the article or he was exaggerating.
By the way, I am not sure about earlier versions of Firefox, but at
least 3.0.14 has network.ntlm.send-lm-response set to false by
default. i.e. it will not send the LM hash in response to an NTLM
challenge. See here for details:
http://kb.mozillazine.org/About:config_entries#Network.
See also the following URL which seems relevant:
https://developer.mozilla.org/En/Integrated_Authentication
> Trying to resume all the whole stuff, he's complaining that Firefox
> automatically decreased the safety level to NTLM (not using NTLMv2),
> when used with Windows Vista, without warning the user about that,
> sending the username and password as plain text, and for that reason
> Firefox is "junk", not IE (oh,boy), who worked on the expected way.
>
> I'll write a post on my blog (http://eustaquiorangel.com, it's
> Portuguese but I'm wondering on this case would not be a good idea to
> make an English version also) about all this and we'll continue the
> discussion on the college on the next, but first I'd like to ask you
> about that.
>
> Seems you Samba guys made some reverse engineering over time to deal
> with NTLM and after some
> years Microsoft released some docs, but I don't know it they are with
> enough quality to use and if you are still making reverse engineering
> and perhaps living with some patent risk, as I could not find
> information enough about the "copyright" of this protocol, which is
> the first point I'm planning to talk about on the discussion.
Please note that patent and copyright are completely different from each other.
--
Michael Wood <esiotrot at gmail.com>
More information about the samba
mailing list