If a proxy server requires authentication, and that proxy communicates over HTTP, are the credentials sent over plain text to the proxy server?
If this is the case, isn't it possible to sniff the packets and get the credentials?
If a proxy server requires authentication, and that proxy communicates over HTTP, are the credentials sent over plain text to the proxy server?
If this is the case, isn't it possible to sniff the packets and get the credentials?
It depends on the kind of authorization request by the proxy. If this is Basic Authentication the username are passwords are transferred in mostly clear (i.e. base64) and thus can be extracted by passively sniffing the connection. This is no longer true with Digest Authentication or NTLM, although in the latter case there are other attacks to reuse the authentication information.
It depends on how the proxy server is authenticating .
If the server authenticates on hash then while sending password/username a hashed value will be sent to the server.
Server will than check the hashed value base on your username & password . In this case you will be a bit safe (with strong username and password).
In case it directly uses the password corresponding to a username. Than definitely your password and Username can be sniffed out.
So i feel totally depends on the design and the implementation.