Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> We can ask Tailscale to open a path on an SMB share. Windows being Windows, it will send your username (and a hash of your login password) to this server, unprompted, despite having no reason to consider the server trustworthy.

Wow, I used to think Linux security was miles ahead of Windows security more than 20 years ago because of insanity like this. Fast forward 20 years. NTLMv2 is common, so cracking a password actually requires guessing the entire password instead of just 8 characters. But password guesses are much cheaper, so we haven’t gained much.

Microsoft, how long will it take you to fix this for real? Opening a URL or UNC path should not, without an opt-in, authenticate at all. If configured to authenticate, it should prove, zero-knowledge, to the server that the supplied password (e.g. the logged-in user password) matches the server’s expected password. No further information should be leaked.



SSH has solution for that forever too, server certs. Server cert change or (if you're fancy) is not signed by right CA and you get an alert.


Server certs are a different issue. If OpenSSH, by default, sent SHA256(logged in user’s password) to the server, even after verifying the cert, it would get laughed out of the toolbox of security-conscious users.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: