Contact emails
zen...@google.com, asa...@google.com, dsk...@google.com
Explainer
NTLM is an authentication protocol used in Windows environments. NTLM has had several iterations/enhancements to increase the security of the protocol since it was first released. All Windows clients released after Windows 2003 support a new version of the protocol (NTLMv2) and current Microsoft guidance is to disable NTLMv1 on servers.
Chromium/Chrome is currently the only major browser that doesn’t support NTLMv2 (Feature Request) on non-Windows platforms which results in it being unable to be used in modern Windows enterprise environments. Additionally as part of the Chromad (Domain joined Chromebooks) project, support for NTLMv2 is required in Chrome OS.
This feature implements the new version of the protocol based on the official Microsoft specification and will allow Chrome on non-Windows platforms such as Mac, Linux, Chrome OS and Android to authenticate to NTLMv2 enabled web servers.
In addition to the minimal NTLMv2 support, two additional sub features - Extended Protection for Authentication (EPA) and Message Integrity Check (MIC) will also be implemented. The mechanism of authentication is the same as for NTLMv1 with a 3 message (Negotiate, Challenge, Authenticate) handshake, however the Authenticate message uses different algorithms and contains additional fields.
Specs
Official Microsoft Spec - https://msdn.microsoft.com/en-us/library/cc236621.aspx
Detailed Description of V1 vs V2 protocol Differences - https://docs.google.com/document/d/18kQ_TFQns2HZ9KGs4bGDfiiOIRmOhI12oJBttvUlYLY/edit
Additional NTLM Reference - http://davenport.sourceforge.net/ntlm.html
Additional EPA Reference - https://blogs.msdn.microsoft.com/openspecification/2013/03/26/ntlm-and-channel-binding-hash-aka-extended-protection-for-authentication/
Implementation - https://cs.chromium.org/chromium/src/net/ntlm/?q=ntlm&sq=package:chromium
Summary
Implement NTLMv2 on non-Windows platforms with Extended Protection for Authentication (EPA) support.
Original State - Chromium on non-Windows only supports NTLMv1.
Current State - Replacement implementation of NTLM landed with unit tests and fuzzers. New implementation supports NTLMv1, NTLMv2 and Extended Protection for Authentication. Currently NTLMv1 is still the default (ie. no behavior change)
Planned M63 - Add a flag that allows users to enable the new NTLMv2 behavior.
Planned Post M63 - Make NTLMv2 the default NTLM protocol version and allow users to set the flag to go back to the old (less secure) version.
Is this feature supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
The feature was already supported on Windows by virtue of system API’s. This adds support to all remaining platforms.
Demo link
N/A
Debuggability
NTLM messages are sent in HTTP headers. The headers can be viewed in the existing developer tools. The messages are base 64 encoded strings of a binary format (defined by MS-NLMP specification). There are no additional tools provided to introspect the content of the messages. This was the existing behavior for NTLMv1 and is consistent with other browsers and with Chrome on Windows.
Risks
Interoperability and Compatibility
Windows Firefox, Edge, IE, Safari, Chrome/Chromium - NTLMv2 already supported and default for many years. Using Windows system libraries.
Non-Windows Safari - Supports NTLMv2 but doesn’t support Extended Protection for Authentication (EPA). NTLMv2 is the default.
Non-Windows Firefox - Supports NTLMv2 but doesn’t support Extended Protection for Authentication (EPA). NTLMv2 is the default. A flag exists to optionally downgrade to NTLMv1.
Proposed Non-Windows Chromium - Support NTLMv2. NTLMv2 is the default protocol version. Supports Extended Protection for Authentication. This brings Chrome to feature parity with all Windows versions of all major browsers, and makes Chrome the only non-Windows browser to support EPA. We will provide a flag/policy to allow downgrading to NTLMv1.
Proposed Windows Chrome/Chromium - No changes are necessary. This is already supported.
Enabled Scenarios
Chrome on non-Windows platforms can now be used in environments that disable NTLMv1 (Microsoft’s recommended configuration)
Chrome on non-Windows platforms can be used in environments that additionally enable Extended Protection for Authentication (EPA). This is also relevant because EPA is enabled for both Kerberos and NTLM with the same setting. Chrome would be the only browser that can authenticate from a non-Windows platform with EPA enabled on the server.
Since the protocol version in NTLM is not negotiated, both client and server are configured at the machine level as to which version they send and which version they accept. Current defaults and recommendation in Windows machines are that Servers only accept NTLMv2 (hence current Chrome clients can’t authenticate) and that clients send NTLMv2 (Chrome would start sending NTLMv2 by default after this change).
Implementation Sequence
Replace existing NTLMv1 implementation. The current code was copied from Firefox and has no tests. Verify with unit tests that the implementations are compatible. DONE.
Add a new NTLMv2 implementation (but leave it disabled). DONE.
Add a flag that allows enabling NTLMv2. Planned for M63
Change the flag default so that NTLMv2 is the default. Planned post M63.
User Impact
If a server only supports NTLMv1, a browser that sends NTLMv2 will not be able to authenticate. This would be a behavior change for Chrome on non-Windows, but it would make it consistent with Chrome on Windows and all other major browsers. Chrome will provide a flag/policy to downgrade to the previous behavior. All supported versions of Windows and Samba support NTLMv2 so this case should be limited.
Is this feature fully tested by web-platform-tests? Link to test suite results from wpt.fyi.
No web platform tests. Implementation is unit tested and has fuzzers running against both versions of the protocol.
Entry on the feature dashboard
TODO;
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABO%2BUTqq%3DQ4Gr63bPL0rcf6uha-5tjinSfU2WjuGdbBkhHtTFA%40mail.gmail.com.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABO%2BUTqq%3DQ4Gr63bPL0rcf6uha-5tjinSfU2WjuGdbBkhHtTFA%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw_qovVAm75rhwVXFOjRf34D02j1MDYOLrd%3DhSX3CCSyjw%40mail.gmail.com.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABO%2BUTqq%3DQ4Gr63bPL0rcf6uha-5tjinSfU2WjuGdbBkhHtTFA%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "blink-dev" group.
This would be visible to servers but not DOM necessarily. As David has said, we have still been following blink process for externally visible network changes, and this falls under that bucket.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABO%2BUTqq%3DQ4Gr63bPL0rcf6uha-5tjinSfU2WjuGdbBkhHtTFA%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABO%2BUTqq%3DQ4Gr63bPL0rcf6uha-5tjinSfU2WjuGdbBkhHtTFA%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw_qovVAm75rhwVXFOjRf34D02j1MDYOLrd%3DhSX3CCSyjw%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAAuiYA__A2gET%2BGdOY3t7cjvvh8a-541RjGs%2Bu1ZOft60943mQ%40mail.gmail.com.To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABO%2BUTqq%3DQ4Gr63bPL0rcf6uha-5tjinSfU2WjuGdbBkhHtTFA%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw_qovVAm75rhwVXFOjRf34D02j1MDYOLrd%3DhSX3CCSyjw%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAAuiYA__A2gET%2BGdOY3t7cjvvh8a-541RjGs%2Bu1ZOft60943mQ%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-SKXym7WjYcOPkweAP7YGutxScudPvB5XL7%2BUZPWb%2Bfw%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOtFfx4k5-CHLFJT0i96UGMYiwL2AwMAMqR1vHrcFB9A83Lq8g%40mail.gmail.com.
LGTM2
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABO%2BUTqq%3DQ4Gr63bPL0rcf6uha-5tjinSfU2WjuGdbBkhHtTFA%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw_qovVAm75rhwVXFOjRf34D02j1MDYOLrd%3DhSX3CCSyjw%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAAuiYA__A2gET%2BGdOY3t7cjvvh8a-541RjGs%2Bu1ZOft60943mQ%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-SKXym7WjYcOPkweAP7YGutxScudPvB5XL7%2BUZPWb%2Bfw%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
LGTM2
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABO%2BUTqq%3DQ4Gr63bPL0rcf6uha-5tjinSfU2WjuGdbBkhHtTFA%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw_qovVAm75rhwVXFOjRf34D02j1MDYOLrd%3DhSX3CCSyjw%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAAuiYA__A2gET%2BGdOY3t7cjvvh8a-541RjGs%2Bu1ZOft60943mQ%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-SKXym7WjYcOPkweAP7YGutxScudPvB5XL7%2BUZPWb%2Bfw%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
Note that NTLM (and Negotiate) also bring on their own behaviours - because they're connection-based auth methods (a violation of the HTTP RFCs that was shipped early in the Microsoft days), support for them has brought along its own set of concerns. It's why the Fetch spec has to consider connection groups and credentials - because a socket may be imbued with ambient authority if it was previously used for these authentication methods, even if the Fetch request itself is no-credentials :)