[38986] in Kerberos
Re: heimdal http proxy
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Sun Sep 12 11:14:12 2021
Message-ID: <202109121511.18CFBSvs001879@hedwig.cmf.nrl.navy.mil>
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
To: Charles Hedrick <hedrick@rutgers.edu>
In-Reply-To: <AB004455-E81F-4489-A962-084C11B102CC@rutgers.edu>
MIME-Version: 1.0
Date: Sun, 12 Sep 2021 11:11:18 -0400
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
>The hope is that the proxy will read requests and validate them. Thus
>passing through the proxy would be less dangerous that exposing port 88
>directly. If that’s not true, we should consider the risks of making
>port 88 available, or give up.
I'm curious as to exactly what validation for requests you think the
HTTP proxy is doing that the KDC is not. The only meaningful validation
I can think of would require the proxy to handle all of the functions
of the KDC itself (and honestly, I suspect the only validation that the
proxy is doing is, "Looks like a valid HTTP request that doesn't have
any of the common SQL injection attacks in the URL"). I mean, I've
certainly been in the situation where we are required to do something
dumb to satisfy a overly-broad security requirement, but I always try
to acknowledge the dumbness.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
