Google Chrome Domain Authentication and Clear Text Passwords in the HTTP Header
NTLM is currently being ported to Chrome. See this. Just wait for the next version.
Related videos on Youtube
ahsteele
Updated on September 17, 2022Comments
-
ahsteele over 1 year
In an answer to Windows Authentication with Google Chrome it is indicated that Chrome does not yet support Auto NTLM Authentication which means that users authenticating to sites using Windows Authentication are prompted for a login. Which is annoying but not a problem. Where the problem resides is that the users password is then sent in clear text to the authenticating site.
I whipped up a quick ASP.NET script that pulls the password out of the AUTH_PASSWORD in Request.ServerVariables collection. Both Safari and Opera prompt for user credentials but neither sends the password in clear text in the HTTP header. I find this especially odd since Chrome like Safari is based on WebKit.
What is the difference between the way Chrome Authenticates in comparison to other browsers and why does it send the password to a site in this manner?
-
ahsteele over 14 yearsMy experience with Wireshark is limited but I am guessing I won't be able to see the authentication because the site I am running against is using SSL. If there's a way around that let me know. I was thinking of just turning basic authentication off on the server and seeing if Chrome can still get there.
-
ahsteele over 14 yearsSo in some fashion Safari and Opera support single-sign-on which is why AUTH_PASSWORD is blank when authenticating with those browsers?