On Friday 12 September 2003 14.33, Marco Stolpe wrote: > So my first question is if there exists any solution to encrypt > those passwords (maybe SSL, maybe anyone knows of another proxy > supporting it?).
Squid supports SSL proxy connections, unfortunately no known browser exists supporting the same.. what you can do is to use a authentication scheme which does not transmit the password in plain text. I would suggest looking into the digest scheme. > My second question is how proxy authentication maintains > information about a user's session. It doesn't. It is the browser who maintains the session. > It's clear to me that even with > a proxy, malicious plug-ins or Active-X controls in a user's > browser could "circumvent" the proxy. Anything triggered by the user during a browsing session and running within the browser (i.e. Active-X controls, plugins etc) can use the already active browser session to access Internet via the proxy. Software running separate from the browser probably can not, unless your OS vendor thinks it should be able to.. > user was authenticated successfully to the proxy. Now a malicious > background process on the same machine tries to access its home URL > through the proxy. Will the request pass or will it be blocked? Normally it will get blocked, but it may also be the case that if this malicious software uses the HTTP support provided by the OS vendor then the user may receive a proxy login popup from the OS, or even worse, if the user already has a active brosing session then maybe your OS vendor will use this to allow the separate application to access the proxy. And if you are using NTLM authentication then there probably will not be any login popup at all as the login is automatic based on the domain logon of the local computer login session. > What I mean is: based on which credentials (per request) does the > proxy decide which traffic is allowed to pass through after it has > successfully authenticated a user? The proxy always requires valid authentication to be attached to each and every request. If there is no valid login details attached to the request to the proxy then the request will be rejected. It is the browser or OS who maintains the browsing session and hides most of this logics from the user (to OS/browser only asks for login on first access etc). Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
