>"credentials" does not necessarily mean passwords.
>TLS also sends credentials in clear. It just happens those credentials
>are called certificates. Likewise all auth schemes in HTTP (except
>Basic) send security tokens of various types - not passwords.
When referring to credentials I mean basic ldap authentication for squid servers. >TLS also sends credentials in clear. It just happens those credentials
>are called certificates. Likewise all auth schemes in HTTP (except
>Basic) send security tokens of various types - not passwords.
Those are sent in plain text (well base64) in every request. So my concern is the client to proxy encryption so as to protect those credentials.
On Fri, Apr 20, 2018 at 9:48 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 21/04/18 06:40, Panagiotis Bariamis wrote:
>>Unfortunately the answer there is "no" in regard to IE support. AFAIK
>>the MS team working on IE also have no plans to add it. IE is formally
>>on its way towards deprecation so major new functionality like that is
>>highly unlikely to happen. Their Edge browser may be a different story.
> Well if they add in in Edge it is going to be system wide as in Internet
> Explorer. Hopefully they will add the functionality at least at Edge.
>
>
>>Which leaves only the SSL-Bump functionality in Squid to MITM the traffic.
> This functionality does not help much as the problem is the credentials
> sent over clear text to proxies .
>
"credentials" does not necessarily mean passwords.
TLS also sends credentials in clear. It just happens those credentials
are called certificates. Likewise all auth schemes in HTTP (except
Basic) send security tokens of various types - not passwords.
Amos
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
