Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#12974 closed defect (fixed)

Disable NTLM and Negotiate HTTP Auth

Reported by: mikeperry Owned by: tbb-team
Priority: Very High Milestone:
Component: Applications/Tor Browser Version:
Severity: Keywords: tbb-linkability, tbb-fingerprinting, MikePerry201408
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

This is technically an embargoed Mozilla bug, so I probably shouldn't provide too many details.

Suffice to say that NTLM and Negotiate auth are bad for Tor users, and I doubt very many (or any of them) actually need it.

However, Mozilla's fix is going to be more involved and likely require several pref additions, and this issue is not as high a priority for them as it is for us.

We're just going to take the blunt approach and fully disable all forms of this auth.

Child Tickets

Change History (3)

comment:1 Changed 3 years ago by mikeperry

Keywords: tbb-fingerprinting added

comment:2 Changed 3 years ago by mikeperry

Resolution: fixed
Status: newclosed

Fixed. Will appear in 3.6.5 and 4.0-alpha-1.

comment:3 Changed 3 years ago by lunar

This means that it is now impossible to connect to IIS-backed intranet applications with the Tor Browser, at least on non-Windows platforms. See https://bugzilla.mozilla.org/show_bug.cgi?id=1023748

Note: See TracTickets for help on using tickets.