Re: [squid-users] secure basic authentication from Henrik Nordstrom on 2006-02-11 (squid-users)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sat, 11 Feb 2006 14:52:12 +0100 (CET)

On Wed, 18 Jan 2006, Emilio Casbas wrote:

> -basic authentication is insecure by nature.

True.

> -basic authentication + SSL only is secure in the logon, but the
> stateless characteristic of HTTP , it will send the consecutive
> sensitive headers in clear text.

Not sure I follow what you say entirely.

> -Digest isn´t support ldap in this moment, it isn´t Single Sign On.

True.

LDAP support is available in the digest helper found in Squid-3 (same
helper also works with 2.5). But it requires either the plaintext password
or a Digest specific password hash to be registered in the LDAP tree..

In future we hope to be able to add integration with Digest capable
authentication services (including MS AD with Digest enabled), but this is
a future feature and most likely won't be seen until Squid-3.1 the
earliest. And even then it wouldn't be a single sign on solution as the
clients do not support Digest single sign on..

> -NTLM isn´t a standard HTTP authentication scheme.

True..

> Then, which is the best method and secure to implement a basic proxy
> authentication in a proxy environment?.

If only clients supported SSL/TLS encryption of proxy connections this
would be a great alternative.

Until then Digest or NTLM authentication is the best you can currently
get.

Basic:

+ Standard
+ Integrates with anything you can imagine thanks to the
username+password exchange.

- password transmitted to the proxy, in plain text if the communication
channel is not encrypted.

Digest:

+ Standard
+ Supported by nearly all web browsers

- Hard to integrate with user directory services
- Not all browsers implements this well..

NTLM:

+ Microsoft "standard"
+ Single-sign-on in Windows environments

- Not following HTTP standard
- Noticeable overhead

Negotiate (GSSAPI / Kerberos):

    + Microsoft "standard" and future direction
    + Single-sign-on in Windows environments
    + Not plauged by the huge overhead of NTLM authentication

    - Not supported in Squid-2.5 (patch available)
    - Not supported in Samba-3.x (Samba-4 development snapshots reportedly
works..)
    - Not well supported by other browsers than MSIE.
    - Not even MSIE supports it to proxies (only web servers/accelerators)
    - Not following HTTP standard (same design fault as NTLM)

Regards
Henrik
Received on Sat Feb 11 2006 - 06:52:16 MST

This archive was generated by hypermail pre-2.1.9 : Wed Mar 01 2006 - 12:00:03 MST