On Jan 23, 2014, at 4:20 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> Well, let me back up a little. If there was another way to
>> authenticate securely to Squid, that would also be acceptable. As I
>> mentioned before, I don’t think I’m comfortable with Digest (certainly
>> not Basic). The only other options I see are NTLM and Negotiate, which
>> both seem to be Microsoft-specific. Am I missing anything there?
>
> Those are the ones currently supported by Squid.
>
> Negotiate is only sort-of MS specific. It is usually a MS wrapper protocol around the Kerberos scheme. This is currently the most secure of auth schemes supported explicitly by Squid.
>
> NTLM is second best. NTLMv2 has most of the same high-security properties as Kerberos (slightly less algorithms though) but is much more MS-specific and violates HTTP protocol in nasty ways that block usage over the Internet / WAN.
>
> Digest is next best. The MD5 step is simply to one-way hash a short lived nonce, the password itself is never sent and the system can be configured to rotate nonces fast enough that replay attacks are very difficult (but not impossible).
>
> Basic auth is ironically both the worst and the best of all of them. It is just a scheme for sending two credential tokens to the service. Historically is has been used to send user:password details and that is terribly bad. However, provided you can configure both the sender and receiver to agree on algorithms out-of-band (the HTTP scheme provides no way to do so) you can send any type of secured one-use token in the "password" field. You just need the client to be able to generate them and a Squid Basic auth helper to verify and accept/reject. Properly done this can be far more secure than even Negotiate.
Very interesting idea. I will have to think about that.
David
Received on Thu Jan 23 2014 - 23:29:18 MST
This archive was generated by hypermail 2.2.0 : Fri Jan 24 2014 - 12:00:06 MST