Re: Secure Transfer of proxy_auth passwords

From: Clifton Royston <[email protected]>
Date: Mon, 24 Jan 2000 10:30:15 -1000

On Mon, Jan 24, 2000 at 01:33:42PM -0600, sdmatott+squid@scooter.uchicago.edu wrote:
> I assume that by default squid sends proxy_auth passwords
> as plain text across the web.
> In other words, when it prompts users for a u-name and passwd
> it then beams these two back to itself as plain-text to be handed over to the
> proxy_auth program, (eg. ncsa_auth or whatever)
> Is this true?

No. The *browser* prompts users for a user-name and password. Squid
doesn't have the ability to magically beam prompts onto users' screens,
or beam things back to itself, without cooperation from the browser.

> If so does anyone know of a way around this, ie a way to make squid
> encrypt passwd's as it sends them across the web, or maybe a way to use
> a challenge/response type system with squid?

Yes. Define a standard for challenge/response authentication with
HTTP, maybe based on CHAP, deal with the backwards-compatibility
issues, promulgate it, get it turned into an RFC, and then get all the
browser authors to support it. Should be doable in about 3 years with
a lot of work.

> It would be nice it our users did not have to send their passwords
> as plain text for all the internet to see.
 
Yes it definitely would. The above is why nobody else has done it
yet.
  -- Clifton

-- 
 Clifton Royston  --  LavaNet Systems Architect --  cliftonr@lava.net
        "An absolute monarch would be absolutely wise and good.  
           But no man is strong enough to have no interest.  
             Therefore the best king would be Pure Chance.  
              It is Pure Chance that rules the Universe; 
          therefore, and only therefore, life is good." - AC
Received on Mon Jan 24 2000 - 13:39:06 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:50:40 MST