Re: httptunnel

[John Lines <John.Lines () aeat co uk>]

Wyllys Ingersoll wrote:
> Any firewall or non-firewall proxy that does true HTTP Proxy-Authentication
> will require the "Proxy-Authorization:" header field be in every
> request, that is how it is defined by the HTTP RFC.  A truly secure
> proxy should not be caching the credentials and allowing unauthenticated
> requests to go thru.  

Correct - certainly for Squid and the Netscape Proxy server, which used to
be a great comfort to me, since a rogue program will not have an easy way
to find the user's authentication information. (to forestall lots of
browser bug threads please note I did say 'easy')

Unfortunately I suspect that as things become more web based, and with more
emphasis on user convenience, the rogue program will be a plug in for
Internet Explorer, and it will just say to Explorer 'Pass this secure info
to the bad guys for me' and Explorer which knows the users authentication
information already, will pass the information on.

I would like web browsers to make their security information more visible
and more controlled. At a minimum an ability to see all the cached
authentication information (not the actual passwords, but usernames and
zones) and to cancell those which are no longer required.

At a more paranoid level a facility which put up a prompt box every time
the browser attempted to visit a site which had never been visited before,
and could be set to require an acknowlegement that this had really been
requested by the user may be useful. (Similiar to using x-gw through the
Firewall Toolkit or Gauntlet)

        John Lines