On Jan 23, 2014, at 4:20 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >> Well, let me back up a little. If there was another way to >> authenticate securely to Squid, that would also be acceptable. As I >> mentioned before, I don’t think I’m comfortable with Digest (certainly >> not Basic). The only other options I see are NTLM and Negotiate, which >> both seem to be Microsoft-specific. Am I missing anything there? > > Those are the ones currently supported by Squid. > > Negotiate is only sort-of MS specific. It is usually a MS wrapper protocol around the Kerberos scheme. This is currently the most secure of auth schemes supported explicitly by Squid. > > NTLM is second best. NTLMv2 has most of the same high-security properties as Kerberos (slightly less algorithms though) but is much more MS-specific and violates HTTP protocol in nasty ways that block usage over the Internet / WAN. > > Digest is next best. The MD5 step is simply to one-way hash a short lived nonce, the password itself is never sent and the system can be configured to rotate nonces fast enough that replay attacks are very difficult (but not impossible). > > Basic auth is ironically both the worst and the best of all of them. It is just a scheme for sending two credential tokens to the service. Historically is has been used to send user:password details and that is terribly bad. However, provided you can configure both the sender and receiver to agree on algorithms out-of-band (the HTTP scheme provides no way to do so) you can send any type of secured one-use token in the "password" field. You just need the client to be able to generate them and a Squid Basic auth helper to verify and accept/reject. Properly done this can be far more secure than even Negotiate. Very interesting idea. I will have to think about that. David
