Opened 5 years ago

Closed 4 years ago

#12975 closed task (fixed)

Ensure NTLMv2 is still disabled

Reported by: mikeperry Owned by: mikeperry
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Keywords: ff38-esr, TorBrowserTeam201507, tbb-5.0a4, MikePerry201507
Cc: gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

In #12974, we disabled NTLMv1 and Negotiate auth. Mozilla is also planning on deploying NTLMv2. We need to keep an eye on this deployment and its associated prefs for FF38-ESR, and set the prefs they provide in ways that make sense for Tor.

Their bug is:
https://bugzilla.mozilla.org/show_bug.cgi?id=423758

Child Tickets

Change History (6)

comment:1 Changed 5 years ago by mikeperry

We should also watch for things like #11055 in this code.

comment:2 Changed 5 years ago by gk

Cc: gk added

comment:3 Changed 4 years ago by mikeperry

Keywords: tbb-5.0a TorBrowserTeam201507 added

Tag the set of things we should have implemented before a full 5.0 launch, and add them to the July radar.

comment:4 Changed 4 years ago by mikeperry

Keywords: tbb-5.0a4 added; tbb-5.0a removed

Tag some 5.0a4 goals.

comment:5 Changed 4 years ago by mikeperry

Keywords: MikePerry201507 added
Owner: changed from tbb-team to mikeperry
Status: newassigned

comment:6 Changed 4 years ago by mikeperry

Resolution: fixed
Status: assignedclosed
Summary: Keep an eye on NTLMv2. Possibly disable it.Ensure NTLMv2 is still disabled

It appears as though our patch continues to disable NTLMv2 auth. The commit for the bug in question only adds packet parsing and construction for NTLMv2, and our patch disables it before we even get to that point. https://hg.mozilla.org/mozilla-central/rev/f09bfc814171

Related, the patch to prevent info disclosures still has not landed: https://bugzilla.mozilla.org/show_bug.cgi?id=1046421.

My recommendation is that we should always leave NTLM off. I am deeply worried about stuff like #11055 and Windows-specific leaks biting us. Closing this.

Note: See TracTickets for help on using tickets.