If you are building an application level gateway / accelerator, then the
possibilities are larger. In such configurations SSL encrypted basic
authentication is a reality, and works quite well.
I thought you were talking about a normal proxy where the user
configures the proxy in their browser settings.
-- Henrik Nordstrom Squid hacker HUNT_STEVE wrote: > > Thank you all for your suggestions. > > I want to use Squid to allow authenticated users from outside our network to > relay traffic through our IP address space, so that they may access > IP-restricted information resources maintained by third parties. E.g.: > encyclopedias, magazine article databases. These third parties aren't > running https, and they want us to authenticate the users, they don't want > to do it themselves. > > I have not looked at IPSec before, as Henrik suggests. I'm not sure if I > can use it to do what I want to do. > > Here is a link from the Linux FreeS/WAN project (an implementation of IPSEC > & IKE for Linux. "IPSEC is Internet Protocol SECurity. It uses strong > cryptography to provide both authentication and encryption services." > http://www.xs4all.nl/~freeswan/ > > Jason Haar said "Basic plus switched network - end of problem! ;-)" > I do have a switched network here in our LAN, but these users are coming > into our proxy server from ISPs. So I don't think I can rest easy. > > Jim Drash said that SecurID works great, but it is apparently a commercial > product. I can't buy licenses for 30,000 students! > > So it seems there is no cheap (free) secure way to do this? > > Henrik Nordstrom wrote: > > > > > Alternatives to Basic Authentication include SSL-encrypted Basic > > > > Authentication, NTLM (NTCR) authentication, and Digest > > authentication. > > > Each > > > > of these has problems also. > > > > > > Yes. > > > > No. SSL-encrypted Basic authentication is not an real option for > > proxies. > > > > What is an option for proxies is to use a separate login > > method outside > > the HTTP protocol. In most cases this is limited to IP based access > > control. > > > > Or as you say, set up secure tunnels for the traffic between > > the clients > > and the proxy, using IPSec or any other secure tunelling method. > > > > Playing with cookies might be an option, but not when contacting https > > services. And still (if you manage to find a way to securely > > set up the > > session without having to lower the cookie security in the > > browser) you > > will have at least a recoverable session key that is transferred in > > "plain text" on the net. > > > > -- > > Henrik Nordstrom > > Squid hacker -- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Fri Mar 02 2001 - 12:02:42 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:28 MST