Proxies and Capturing Authentication Credentials

As the administrator of any internet facing network knows, there are certain essentials in allowing your clients access to the internet.  Most networks employ a proxy server to help mitigate this risk, but simply installing a proxy and leaving it be is actually going to cause more problems than it solves.  For example one essential step you should take is to filter out the users authentication credentials before any packets are forwarded to their origin server.  The issues with this should be obvious, at any point a malicious server could capture those authentication credentials and gain access to your network.

dedicated proxies

This is the same reason that users should never be allowed access to untrusted proxy servers. Any proxy server has the same capabilities – i.e to intercept usernames and passwords.  The real issue with untrusted servers is that although you can filter out some authentication credentials for example those needed to pass a firewall or external router, any credentials needed for the destination server must be forwarded.  So if the user is accessing internet banking obviously their credentials need to be forwarded to  the banking site otherwise they wouldn’t be able to log on.  A malicious proxy server could intercept these and store them for exploitation or sale at a future date.

Generally there is little you can do about this, other than advise your users not to use any untrusted proxy servers.  There are legitmate reasons for needing to use a proxy though, especially for accessing content or sites blocked by your physical location.  Many people across the world use proxies to bypass barriers or censorship, just look at this site for one example – http://www.iplayerabroad.com/

For instance a user may need to access a US proxy server in order to access their US banking site or another geo-restricted site.  If needed they should use a paid resource from a reputable company – for instance read this post on US proxy servers.  This at least means the users are no putting their own data at risk and of course the overall network they are using.

All proxies that are used either externally or internally should be protected by SSL and be able to handle forwarding this sort of information.  Although using this encryption doesn’t completely protect your data, it does make man-in-the-middle attacks much more difficult (but not impossible). In many instances there is no ideal choice, and often you’ll need to transmit usernames and account details over unsecured links.  The reality is that security is very much an afterthought in the distributed model of the world wide web, in many situations insecure communication is sadly the standard, all you can do is to minimise the risks at your end.