[squid-users] Client to proxy encryption for Internet Explorer

Amos Jeffries squid3 at treenet.co.nz
Fri Apr 20 21:19:32 UTC 2018


On 21/04/18 06:55, Panagiotis Bariamis wrote:
>>"credentials" does not necessarily mean passwords.
> 
>>TLS also sends credentials in clear. It just happens those credentials
>>are called certificates. Likewise all auth schemes in HTTP (except
>>Basic) send security tokens of various types - not passwords.
> 
> When referring to credentials I mean basic ldap authentication for squid
> servers.
> Those are sent in plain text (well base64) in every request. So my
> concern is the client to proxy encryption so as to protect those
> credentials.
> 

LDAP is a database type, it is not specifically tied to the type of
credentials used either. For example; have you looked into using
Kerberos authentication? this over clear-text is similar or sometimes
more secure than TLS.

 <http://www.squid-cache.org/Versions/v3/3.5/manuals/negotiate_kerberos_auth.html>
 <http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_kerberos_ldap_group_acl.html>

That is the recommended Best Practice form of authentication with MSIE
and avoids the need for TLS solely to secure the credentials. Other
reasons for TLS remain, but are less important.

Amos


More information about the squid-users mailing list