Google Chrome Domain Authentication and Clear Text Passwords in the HTTP Header

1

In an answer to Windows Authentication with Google Chrome it is indicated that Chrome does not yet support Auto NTLM Authentication which means that users authenticating to sites using Windows Authentication are prompted for a login. Which is annoying but not a problem. Where the problem resides is that the users password is then sent in clear text to the authenticating site.

I whipped up a quick ASP.NET script that pulls the password out of the AUTH_PASSWORD in Request.ServerVariables collection. Both Safari and Opera prompt for user credentials but neither sends the password in clear text in the HTTP header. I find this especially odd since Chrome like Safari is based on WebKit.

What is the difference between the way Chrome Authenticates in comparison to other browsers and why does it send the password to a site in this manner?

ahsteele

Posted 2009-08-05T13:47:22.470

Reputation: 1 730

Answers

1

NTLM is currently being ported to Chrome. See this. Just wait for the next version.

harrymc

Posted 2009-08-05T13:47:22.470

Reputation: 306 093

0

One possibility is that chrome may not support NTLM at all, and Chrome simply falls back to HTTP BASIC authentication. Can you obtain the exact headers in use with wireshark or similar?

bdonlan

Posted 2009-08-05T13:47:22.470

Reputation: 1 463

My experience with Wireshark is limited but I am guessing I won't be able to see the authentication because the site I am running against is using SSL. If there's a way around that let me know. I was thinking of just turning basic authentication off on the server and seeing if Chrome can still get there. – ahsteele – 2009-08-05T18:25:35.847

0

In reply to your comment on bdonlan's answer:

I am guessing I won't be able to see the authentication because the site I am running against is using SSL.

The burp proxy tool allows watching (and even modifying) HTTP requests and responses, and it can act as a HTTPS proxy too. (It may or may not work, depending on how Chrome uses HTTPS proxies.)

user1686

Posted 2009-08-05T13:47:22.470

Reputation: 283 655

0

From what I can tell via Wireshark, Chrome does support NTLM authentication. What it does not support is single sign-on by passing through your existing credentials.

This is why the AUTH_PASSWORD field is empty.

dlux

Posted 2009-08-05T13:47:22.470

Reputation: 4 183

So in some fashion Safari and Opera support single-sign-on which is why AUTH_PASSWORD is blank when authenticating with those browsers? – ahsteele – 2009-08-05T21:19:17.987

Asked: 2009-08-05T13:47:22.470

Viewed: 5 308 times

Active: 2009-09-06T20:37:43.870