Firewall Wizards mailing list archives
Re: httptunnel
From: John Lines <John.Lines () aeat co uk>
Date: Fri, 26 Mar 1999 12:07:21 +0000
Wyllys Ingersoll wrote:
Any firewall or non-firewall proxy that does true HTTP Proxy-Authentication will require the "Proxy-Authorization:" header field be in every request, that is how it is defined by the HTTP RFC. A truly secure proxy should not be caching the credentials and allowing unauthenticated requests to go thru.
Correct - certainly for Squid and the Netscape Proxy server, which used to be a great comfort to me, since a rogue program will not have an easy way to find the user's authentication information. (to forestall lots of browser bug threads please note I did say 'easy') Unfortunately I suspect that as things become more web based, and with more emphasis on user convenience, the rogue program will be a plug in for Internet Explorer, and it will just say to Explorer 'Pass this secure info to the bad guys for me' and Explorer which knows the users authentication information already, will pass the information on. I would like web browsers to make their security information more visible and more controlled. At a minimum an ability to see all the cached authentication information (not the actual passwords, but usernames and zones) and to cancell those which are no longer required. At a more paranoid level a facility which put up a prompt box every time the browser attempted to visit a site which had never been visited before, and could be set to require an acknowlegement that this had really been requested by the user may be useful. (Similiar to using x-gw through the Firewall Toolkit or Gauntlet) John Lines
Current thread:
- httptunnel Ken Hardy (Mar 23)
- <Possible follow-ups>
- Re: httptunnel Steven M. Bellovin (Mar 24)
- Re: httptunnel youngk (Mar 24)
- Re: httptunnel Wyllys Ingersoll (Mar 25)
- Re: httptunnel John Lines (Mar 26)
- Re: httptunnel Wyllys Ingersoll (Mar 25)