The pains of proxy authentication

A small network I manage uses Squid and today I decided to enable proxy authentication to improve security a little.  This was fairly trivial, I ended up using HTTP “basic” authentication and an existing htpasswd style password file.

What was not trivial was the amount of bugs this unearthed in little more than 10 minutes.

No changes were required to the Firefox configuration on clients, but a password dialog was presented for the first site browsed.  And the second site.  And the third one.  On some client machines with the same version of Firefox, the checkbox “use password manager to remember..” was not present.  This is marked as unconfirmed in bug 439733, but does seem be a problem.

Another problem occurs when Firefox starts.  A lot of things happen when Firefox starts: RSS feeds are updated, addons are checked for new versions and all the previous pages that were open are loaded.  Unfortunately, each one of these generates a password prompt.  This particular issue is bug 475053.

Other programs are not perfect either.  The default package/update manager in Ubuntu does not honour the authentication configured in the Gnome global settings.  The cause?  Synaptic runs as root, but the authentication details are stored in the user’s session.  Ubuntu bug 13661 covers this, our local fix was to allow specific mirrors without authentication.

I’m sure this only scratches at the surface of problems that will appear, I will post again when any of the above are fixed.

David Cannings
Cyber Security Geek

My interests include computer security, digital electronics and writing tools to help analysis of cyber attacks.