Package: wnpp
Severity: normal
I originally packaged this module as it was being used by one of my
clients in a project, but they've switched to using
libapache2-mod-auth-kerb instead, so I no longer have access to an
environment where I can test the package, which means I can't usefully
maintain it.
I've been wondering whether to request removal instead of orphaning,
as NTLM is not very secure by modern standards, as the package
description warns:
If you're considering using this module, you should be aware that NTLM
isn't regarded as very secure by modern standards - even Microsoft no
longer recommends its use - and where possible, you probably want to
use Kerberos with negotiate auth over https instead (see Debian package
libapache2-mod-auth-kerb).
AIUI negotiate auth over http (rather than https) suffers from
connection hijack issues, but I don't know how it compares in overall
security terms with NTLM if you aren't able to use https. So I'm going
to just orphan for now.
Cheers,
Olly
Attachment:
signature.asc
Description: PGP signature