Notice: Deprecating NTLM authentication on non-Windows platforms

891 views
Skip to first unread message

Jason Duell

unread,
Apr 22, 2014, 2:43:34 AM4/22/14
to dev-pl...@lists.mozilla.org, enter...@mozilla.org
(Cross-posted to dev.planning and the enterprise list. Please reply to
dev.planning)

Summary: this is a notice that we are planning to deprecate support for
NTLM-based authentication on non-Windows platforms as of Firefox 30.
Users who wish to continue using the v1 NTLM protocol will be able to do
so (for now at least) using an about:config preference.

Rationale: Firefox's support for NTLM login on non-Windows platforms has
been weak for some time: we only support v1 of the protocol, which was
sufficiently insecure to be considered a sec-high bug, so as of Firefox
30 we're scheduled to disable it by default. This will mean Mac/Linux
users will no longer be able to use password authentication to log in
via NTLM, so they won't be able to use Firefox to browse on a NTLM-only
network, unless their about:config is changed to allow the insecure v1
protocol. (On Windows we use native DLLs to do the less-insecure NTLM
v2, so Windows users are unaffected).

While we'd love to have non-Windows NTLM v2 support, we currently don't
have the resources in-house at Mozilla to devote to it. It's also
unclear what the practical future of NTLM is: there are existing
deployments, but Microsoft has stated that "applications are generally
advised not to use NTLM" as it "does not support any recent
cryptographic methods":

http://msdn.microsoft.com/en-us/library/cc236715.aspx

Nonetheless, if there are contributors who can step up to provide code
(and just as important, testing) for generic NTLM v2 support we would be
interested in hearing from you and we might well take those patches.

We've done things like this before: for a long time we had a "turn on
ssl v2" pref for similar reasons.

User base affected: We're uncertain of exactly how many users will be
affected by this: it's an estimation game. In the past we've gotten
very little feedback about bustage in NTLM until code hits release, so
we suspect there are very few nightly/aurora/beta users. Telemetry at

http://telemetry.mozilla.org/#release/28/NTLM_MODULE_USED_2

indicates that 97% of NTLM users on our current Firefox release are
using Windows (so they are unaffected by this change), with 39K sessions
reported for non-Windows platforms over 3 weeks. Bsmedberg tells me we
have opt-in rates for telemetry at around 3% (but that might be lower
for enterprise deployments), which would make a very rough estimate of
39000 / .03 / 21 = ~60K users if you assume a single Firefox session per
day (which may be overestimating things and inflating the user count: we
have lots of users who restart the browser many times a day). So the
number here is not trivial, but also not massive. Given that NTLM v1
sends users' passwords in the clear, we're hoping it's not unreasonable
to require opt-in, and we hope that sysadmins and users who want it on
will figure out how to toggle the pref. (If that turns out to be overly
optimistic and we judge that pref-toggling is causing too much pain, we
can hotfix the pref and change it back to on by default.)

Here are the relevant bug #s:

https://bugzilla.mozilla.org/show_bug.cgi?id=828183

https://bugzilla.mozilla.org/show_bug.cgi?id=999306

Feedback is welcome.

Jason

Chris Boot

unread,
Apr 22, 2014, 2:57:55 AM4/22/14
to Jason Duell, dev-pl...@lists.mozilla.org, enter...@mozilla.org
On 22/04/14 07:43, Jason Duell wrote:
> sufficiently insecure to be considered a sec-high bug

Sorry to be facetious, but does that mean HTTP Basic auth is going the
same way soon?

Is there a different reason it actually has to disappear besides the
"security" implications? Doesn't running it over SSL/TLS negate the
risks much like Basic auth?

I have no need for NTLM whatsoever, I was just surprised by the reasoning.

HTH,
Chris

--
Chris Boot
bo...@bootc.net

Kent James

unread,
Apr 22, 2014, 11:08:55 AM4/22/14
to
On 4/21/2014 11:57 PM, Chris Boot wrote:
> Doesn't running it over SSL/TLS negate the
> risks much like Basic auth?

My users use NTLM (with Exchange Web Services) but these are run over
SSL connections. The other alternative is typically Basic
authentication. Users have little choice, as these decisions are made by
corporate authorities.

In my case though, in an addon, the preference can be set easily enough
in the addon, so I can work around this.

:rkent

Jason Duell

unread,
Apr 22, 2014, 3:26:34 PM4/22/14
to Chris Boot, dev-pl...@lists.mozilla.org
On 04/21/2014 11:57 PM, Chris Boot wrote:
> On 22/04/14 07:43, Jason Duell wrote:
>> sufficiently insecure to be considered a sec-high bug
> Sorry to be facetious, but does that mean HTTP Basic auth is going the
> same way soon?
>
> Is there a different reason it actually has to disappear besides the
> "security" implications? Doesn't running it over SSL/TLS negate the
> risks much like Basic auth?
>
> I have no need for NTLM whatsoever, I was just surprised by the reasoning.


It's true that when NTLM is used by a remote HTTP server as an
alternative to basic auth, the plain text issue is largely mooted when
the URI is https://. But the more common use case for NTLM is as an
HTTP proxy authentication method, and connections to proxies are
currently always over plain http.

The difference with basic auth is that no one expects basic auth to be
secure--it's a very well-known insecure protocol. NTLM isn't great but
most clients/servers do v2 which at least isn't sending their passwords
in clear text, so people expect at least that level of security, but we
won't give it to them when we only support v1.

Jason
Reply all
Reply to author
Forward
0 new messages