[squid-users] Re: Secure basic authentication. Is it possible?

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 21 May 2004 16:15:10 +0200 (CEST)

On Fri, 21 May 2004, [koi8-r] "Slivarez![koi8-r] " wrote:

> I'm using squid-2.5.STABLE5+basic_auth(ncsa_auth). BUT simply Sniffer
> can get USERID and PASSWORD from tcp packets. Is there any possibility
> to make basic authentication more secure?

Only if you have a browser which is capable of making SSL connections to
the proxy. So far I know of no browser capable of this but it is rumored
the latest Mozilla can..

As an alternative you can enhance the browser to be SSL proxy enabled by
using stunnel to encrypt the connection to the proxy.

Squid has all the support required fir this via the https_port directive.
It is just a matter of finding a browser with good security for proxy
connections.

If your only goal is to protect the password exchanges then using Digest
authentication is an alternative. Here I recommend the Digest helper from
Squid-3.0 with Squid-2.5. The digest helper from Squid-3.0 is compatible
with the htdigest Digest password hashing program from Apache much in the
same manner that the ncsa_auth program is compatible with the htpasswd
password hashign program from Apache (note to others: the ncsa_auth helper
in Squid-3.0 also supports MD5 hashing, not only crypt hashing)

Regards
Henrik
Received on Fri May 21 2004 - 08:15:13 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Jun 01 2004 - 12:00:02 MDT