Re: [squid-users] Using proxy authentication to detect/protect from malicious software? from Henrik Nordstrom on 2003-09-12 (squid-users)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 12 Sep 2003 18:00:05 +0200

On Friday 12 September 2003 14.33, Marco Stolpe wrote:

> So my first question is if there exists any solution to encrypt
> those passwords (maybe SSL, maybe anyone knows of another proxy
> supporting it?).

Squid supports SSL proxy connections, unfortunately no known browser
exists supporting the same..

what you can do is to use a authentication scheme which does not
transmit the password in plain text. I would suggest looking into the
digest scheme.

> My second question is how proxy authentication maintains
> information about a user's session.

It doesn't. It is the browser who maintains the session.

> It's clear to me that even with
> a proxy, malicious plug-ins or Active-X controls in a user's
> browser could "circumvent" the proxy.

Anything triggered by the user during a browsing session and running
within the browser (i.e. Active-X controls, plugins etc) can use the
already active browser session to access Internet via the proxy.

Software running separate from the browser probably can not, unless
your OS vendor thinks it should be able to..

> user was authenticated successfully to the proxy. Now a malicious
> background process on the same machine tries to access its home URL
> through the proxy. Will the request pass or will it be blocked?

Normally it will get blocked, but it may also be the case that if this
malicious software uses the HTTP support provided by the OS vendor
then the user may receive a proxy login popup from the OS, or even
worse, if the user already has a active brosing session then maybe
your OS vendor will use this to allow the separate application to
access the proxy.

And if you are using NTLM authentication then there probably will not
be any login popup at all as the login is automatic based on the
domain logon of the local computer login session.

> What I mean is: based on which credentials (per request) does the
> proxy decide which traffic is allowed to pass through after it has
> successfully authenticated a user?

The proxy always requires valid authentication to be attached to each
and every request. If there is no valid login details attached to the
request to the proxy then the request will be rejected. It is the
browser or OS who maintains the browsing session and hides most of
this logics from the user (to OS/browser only asks for login on first
access etc).

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com

Received on Fri Sep 12 2003 - 10:00:16 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:19:42 MST