• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Can a website use your Windows network authentication?

GoodEnough

GoodEnough

Golden Member
What is it called when you're logged into a Win network, and you go on some intranet site, and it doesn't ask for your login since you're already logged into Windows, and that service just uses the same login profile? Single sign on? LDAP?

What if you go to an external website? Can it try to do the same thing, and figure out your Win username and just log you in automatically?
 
I've seen some intranet IE sites do it ex: Citrix. So I imagine IE can probably send your windows credentials/session info to a site if it's requested through some kind of scripting. So I can't see what would stop an internet site from acting the same as an intranet site. I'm surprised this is not exploited more actually. Browsers are by design super insecure because of all the scripting crap that sites are allowed to do. Drive by spyware sites for example use various scripting in order to load programs on your computer and run them. Essentially infecting it by simply loading a web page.
 
GoodEnough said:
What is it called when you're logged into a Win network, and you go on some intranet site, and it doesn't ask for your login since you're already logged into Windows, and that service just uses the same login profile? Single sign on? LDAP?

What if you go to an external website? Can it try to do the same thing, and figure out your Win username and just log you in automatically?
Click to expand...
It's called single sign on, and it works on your domain because of kerberos authentication.
Making this work outside the domain/realm, is messy, if not extremely difficult/impossible, and definitely insecure as you do not want to expose your KDC to the public intertubes.
What you need is a federation solution like ADFS or Ping that uses SAML authentication.
 
Red Squirrel said:
I've seen some intranet IE sites do it ex: Citrix. So I imagine IE can probably send your windows credentials/session info to a site if it's requested through some kind of scripting. So I can't see what would stop an internet site from acting the same as an intranet site. I'm surprised this is not exploited more actually. Browsers are by design super insecure because of all the scripting crap that sites are allowed to do. Drive by spyware sites for example use various scripting in order to load programs on your computer and run them. Essentially infecting it by simply loading a web page.
Click to expand...


NoScript. Use it, love it... Hell, make love to it! It wil love you more than a woman! LOL!
 
John Connor said:
NoScript. Use it, love it... Hell, make love to it! It wil love you more than a woman! LOL!
Click to expand...

I've tried to use it, but it just makes the internet super annoying to use. Like every single site you land on you need to figure out which hosts you need to allow so the site even loads. Sites are so terribly designed now days. The real fix would be if browsers would not allow scripts to do anything outside of it's own tab. I don't get why nobody has coded such browser yet. I suppose you could run a browser in a chroot jail though. I've briefly read on it but it's quite involved.
 
Red Squirrel said:
I've tried to use it, but it just makes the internet super annoying to use. Like every single site you land on you need to figure out which hosts you need to allow so the site even loads. Sites are so terribly designed now days. The real fix would be if browsers would not allow scripts to do anything outside of it's own tab. I don't get why nobody has coded such browser yet. I suppose you could run a browser in a chroot jail though. I've briefly read on it but it's quite involved.
Click to expand...


I know what you're talking about. Yes, NoScript can be very cumbersome to say the least. What I do is allow base 2nd level domains by default to lessen the cumbersomeness. But despite that, very feature rich and/or poorly designed pages use tons of scripts. So if I trust the site I'll just allow all scripts temporally for the whole page. Or I'll go through and look at each script and use an educated guess as to which scripts need to be allowed. Cloudfront is a notable one. That is Amazon's S3 content delivery network. It needs to be allowed. But simply allowing all scripts even temporally defeats the purpose doesn't it? Well, I use layers and it that I use VooDoo Shield and Sandboxie. So if something tries to enter my machine it's gonna have a hard time.

Some sites are so damn scrip laden and with all the privacy/security addons I have I need to use another plain vanilla browser to access just that site and use its features. This is espeially true if you're filling out taxes online. Just use a plain vanilla browser. You don't want to break anything. I keep Chrome, Cyberfox, Firefox and Pale Moon on here.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top