Re: [SQU] Proxy Authentication Issues

From: Robert Collins <[email protected]>
Date: Thu, 1 Mar 2001 09:19:37 +1100

----- Original Message -----
From: "HUNT_STEVE" <HUNT_STEVE@smc.edu>
To: <squid-users@ircache.net>
Sent: Thursday, March 01, 2001 5:00 AM
Subject: [SQU] Proxy Authentication Issues

>
> Hi all,
>
> I am testing Squid for use in authentication of our off-campus users.
I
> have it set up with the msntauth program, and it seems to work well.
>
> ====lines from my squid.conf======
> acl ourusers proxy_auth REQUIRED
> http_access allow ourusers
> authenticate_program /usr/local/squid/bin/msntauth
> ====lines from my squid.conf======
>
> I have some concerns about authentication with proxy servers. I know
that
> proxy_auth is using HTTP Basic Authentication. Basic Authentication
encodes

proxy_auth in squid2.5 (FYI: not stable yet) supports digest and NTLM
authentication schemes as well.

> but does not encrypt the username and password. The username and
password
> are sent with every page accessed through the proxy server. This is a
> well-known security problem, someone with a network sniffer could grab
lots
> of username and passwords.
>
> Alternatives to Basic Authentication include SSL-encrypted Basic
> Authentication, NTLM (NTCR) authentication, and Digest authentication.
Each
> of these has problems also.

Yes.

> NTLM and Digest are only supported by the IE browser. In addition,
NTLM
> requires that the PC OS be Win NT or that the Client for MS Networks
be
> installed on Win95/98. And NTLM can't be used if another (non-squid)
proxy
> server is in between.

Digest will hopefully be support by mozilla 1.0 there are bug reports
relating to it. The WWW org reference browser & libwww support digest as
well.

> The problem with SSL is that all traffic through the proxy server is
> encrypted/decrypted, causing performance degradation. If my users are
doing
> retrieving lots of info from the web databases they are searching what
kind
> of throughput will I see?

Client side SSL in squid is experimental (see squid.sourceforge.net). No
one has any experience to guide you, but there will be a hit of some
sort.

> I was trying to think of other ways to have a persistent connection to
a
> proxy server (to login) There is talk of a ProxyCookie standard, but
> apparently nothing is happening in this area. No browsers support it.
>
> Proxy Cookie info
> http://portal.research.bell-labs.com/~dmk/pcookies/
>

Nice idea, but it really ist just moving the definition of
authenticating around from a standard (basic/digest) to a user program
(write your own on the web server). The same issues that arise today
with basic authentication over the web will still be present.

> What do others do when they need users to authenticate to the proxy
server?
>
> Stay with insecure Basic Auth?
> Live with the performance penalty SSL imposes (how bad is it?)
> Require users to have IE?
> Any ideas?

One idea: Run IPSEC on your LAN, and use Basic Auth.

I suggest that you might find using NTLM, with a fallback to digest and
then basic authentication somewhat more acceptable. The crux of the
matter is that only Digest is a somewhat secure standards based scheme,
and few browers support it. You can put pressure on vendors to support
it though (which you can't really do for NTLM :])

Rob

> Steve Hunt
> hunt_steve@smc.edu
>
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>
>

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Wed Feb 28 2001 - 15:20:22 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:16 MST