On Jan 23, 2014, at 4:20 PM, Amos Jeffries <[email protected]> wrote:
>> Well, let me back up a little. If there was another way to >> authenticate securely to Squid, that would also be acceptable. As I >> mentioned before, I don’t think I’m comfortable with Digest (certainly >> not Basic). The only other options I see are NTLM and Negotiate, which >> both seem to be Microsoft-specific. Am I missing anything there? > > Those are the ones currently supported by Squid. > > Negotiate is only sort-of MS specific. It is usually a MS wrapper protocol > around the Kerberos scheme. This is currently the most secure of auth schemes > supported explicitly by Squid. > > NTLM is second best. NTLMv2 has most of the same high-security properties as > Kerberos (slightly less algorithms though) but is much more MS-specific and > violates HTTP protocol in nasty ways that block usage over the Internet / WAN. > > Digest is next best. The MD5 step is simply to one-way hash a short lived > nonce, the password itself is never sent and the system can be configured to > rotate nonces fast enough that replay attacks are very difficult (but not > impossible). > > Basic auth is ironically both the worst and the best of all of them. It is > just a scheme for sending two credential tokens to the service. Historically > is has been used to send user:password details and that is terribly bad. > However, provided you can configure both the sender and receiver to agree on > algorithms out-of-band (the HTTP scheme provides no way to do so) you can > send any type of secured one-use token in the "password" field. You just need > the client to be able to generate them and a Squid Basic auth helper to > verify and accept/reject. Properly done this can be far more secure than even > Negotiate. Very interesting idea. I will have to think about that. David
