mark,
We'd had some internal discussions about whether we tried to force
people towards HTTPS for gssweb even for http sites?
I cannot remember where we ended up with that.
While working through the Apache module design, Margaret and I have
discovered an significant attack if TLS is not used for the gssweb
authentication. It's a rather unsurprising attack as it pops up in
other GSS protocols.
Consider a server that has a TLS site and a non-TLS site.
They both use gssweb authentication.
An attacker can MITM the non-tls site and capture the authentication,
replaying it to gain access to the TLS site as the authenticated user.
So, it turns out the cost of allowing gssweb over non-TLS HTTP is higher
than we may have previously discussed.
|