[SQU] Proxy Authentication Issues

From: HUNT_STEVE <HUNT_STEVE@dont-contact.us>
Date: Wed, 28 Feb 2001 10:00:54 -0800

Hi all,

I am testing Squid for use in authentication of our off-campus users. I
have it set up with the msntauth program, and it seems to work well.

====lines from my squid.conf======
acl ourusers proxy_auth REQUIRED
http_access allow ourusers
authenticate_program /usr/local/squid/bin/msntauth
====lines from my squid.conf======

I have some concerns about authentication with proxy servers. I know that
proxy_auth is using HTTP Basic Authentication. Basic Authentication encodes
but does not encrypt the username and password. The username and password
are sent with every page accessed through the proxy server. This is a
well-known security problem, someone with a network sniffer could grab lots
of username and passwords.

Alternatives to Basic Authentication include SSL-encrypted Basic
Authentication, NTLM (NTCR) authentication, and Digest authentication. Each
of these has problems also.

NTLM and Digest are only supported by the IE browser. In addition, NTLM
requires that the PC OS be Win NT or that the Client for MS Networks be
installed on Win95/98. And NTLM can't be used if another (non-squid) proxy
server is in between.

The problem with SSL is that all traffic through the proxy server is
encrypted/decrypted, causing performance degradation. If my users are doing
retrieving lots of info from the web databases they are searching what kind
of throughput will I see?

I was trying to think of other ways to have a persistent connection to a
proxy server (to login) There is talk of a ProxyCookie standard, but
apparently nothing is happening in this area. No browsers support it.

Proxy Cookie info
http://portal.research.bell-labs.com/~dmk/pcookies/

What do others do when they need users to authenticate to the proxy server?

Stay with insecure Basic Auth?
Live with the performance penalty SSL imposes (how bad is it?)
Require users to have IE?
Any ideas?

Steve Hunt
hunt_steve@smc.edu

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Wed Feb 28 2001 - 11:03:12 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:16 MST