[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #12975 [Tor Browser]: Ensure NTLMv2 is still disabled (was: Keep an eye on NTLMv2. Possibly disable it.)

Subject: Re: [tor-bugs] #12975 [Tor Browser]: Ensure NTLMv2 is still disabled (was: Keep an eye on NTLMv2. Possibly disable it.)
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Thu, 23 Jul 2015 03:30:15 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 22 Jul 2015 23:30:26 -0400
In-reply-to: <049.aa58e53199faea3b4c403ad7a47dd4d2@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <049.aa58e53199faea3b4c403ad7a47dd4d2@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#12975: Ensure NTLMv2 is still disabled
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  mikeperry
  mikeperry              |     Status:  closed
         Type:  task     |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  ff38-esr, TorBrowserTeam201507,
  Browser                |  tbb-5.0a4, MikePerry201507
   Resolution:  fixed    |  Parent ID:
Actual Points:           |
       Points:           |
-------------------------+-------------------------------------------------
Changes (by mikeperry):

 * status:  assigned => closed
 * resolution:   => fixed


Comment:

 It appears as though our patch continues to disable NTLMv2 auth. The
 commit for the bug in question only adds packet parsing and construction
 for NTLMv2, and our patch disables it before we even get to that point.
 https://hg.mozilla.org/mozilla-central/rev/f09bfc814171

 Related, the patch to prevent info disclosures still has not landed:
 https://bugzilla.mozilla.org/show_bug.cgi?id=1046421.

 My recommendation is that we should always leave NTLM off. I am deeply
 worried about stuff like #11055 and Windows-specific leaks biting us.
 Closing this.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12975#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #16632 [Tor Browser]: Turn on the background autoupdater
Next by Author: [tor-bugs] #16641 [- Select a component]: The Principles of Anaerobic Exercise
Previous by thread: Re: [tor-bugs] #6458 [Tor Browser]: Double-key HSTS for third party content (was: Disable HSTS for third party content on non-HSTS domains)
Next by thread: [tor-bugs] #16641 [- Select a component]: The Principles of Anaerobic Exercise
Index(es):
- Author
- Thread