I have been looking for cloud based proxies, and I notice that it's very common to authenticate to a proxy using basic auth over an unencrypted connection. I don't understand why this is considered acceptable.
Is proxy authentication different than regular basic auth? Based on this article, it seems like it is not different. Does basic proxy authentication expose credentials to anyone listening on the connection?
HTTP Basic over an unsecured connection exposes the username and password, as you expected. Even over an encrypted connection, basic auth isn't ideal because it exposes the credentials on every new request, which means they're constantly held in memory, you can't revoke a session, and using a secure password hashing function (which should take a good fraction of a second) would be prohibitively expensive.
However, for services where there's no actual resources being protected (no sensitive user account data or control of restricted services) and the goal is just to keep the riff-raff off the proxy, it might be sufficient. Knowing the proxy credentials probably won't give the attacker any ability that they didn't already need in order to capture those credentials, except the ability to use the proxy themselves. Obviously that's bad if the proxy is doing something like access to a corporate internal network - those should be protected by a VPN or similar - but if it's just changing the country your connection appears to come from? Probably not a big deal.
