2

If a proxy server requires authentication, and that proxy communicates over HTTP, are the credentials sent over plain text to the proxy server?

If this is the case, isn't it possible to sniff the packets and get the credentials?

  • Does it support Digest Authentication? – Neil McGuigan Feb 13 '16 at 02:06
  • 1
    See also: http://security.stackexchange.com/q/23561/33 . Not exactly a duplicate, since that one asks the same question but over SSL/TLS, but it is very closely connected. That said, I think the answer here is fairly obvious to you, since you've asked the question... – AviD Feb 14 '16 at 10:16

2 Answers2

1

It depends on the kind of authorization request by the proxy. If this is Basic Authentication the username are passwords are transferred in mostly clear (i.e. base64) and thus can be extracted by passively sniffing the connection. This is no longer true with Digest Authentication or NTLM, although in the latter case there are other attacks to reuse the authentication information.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
1

It depends on how the proxy server is authenticating .

If the server authenticates on hash then while sending password/username a hashed value will be sent to the server.

Server will than check the hashed value base on your username & password . In this case you will be a bit safe (with strong username and password).

In case it directly uses the password corresponding to a username. Than definitely your password and Username can be sniffed out.

So i feel totally depends on the design and the implementation.

sourav punoriyar
  • 344
  • 1
  • 11
  • 2
    Even if you use hashes (I am assuming you actually mean Digest authentication?), it does not protect you against active man in the middle attacks. – AviD Feb 14 '16 at 10:15
  • Ya it won't be able to protect you from mitm attacks....but the mitm attacker also won't be able to generate your username and password!! – sourav punoriyar Feb 14 '16 at 13:21
  • 4
    He doesn't need to, he already has what you sent. – AviD Feb 14 '16 at 13:36