I have a huge network with around 1000 users. We use squid(3.1.x) as forward caching proxy server, and we also authenticate our users to allow them access to the internet (helps us log what a particular user is accessing).
The problem is, this connection between client and proxy is plain text, so anyone using packet sniffer can see the login credentials of other users.
Does anyone have a solution for this?
Secure transport to HTTP proxy is not supported very well. There's another post that answers this question already.
Due the nature that proxy authentication is nothing else than HTTP Basic Authentication credentials are sent in a very weak manner. A possible solution to improve security at this point and prevent also some other attacks is to use kerberos authentication (if suitable in your environment). Depending on your client operating systems and overall setup (domain / workgroup) this is possible and also provides some nice side effects like single-sign-on.
So, its like there is nothing I can do with open source to provide good security. But, I read in squid docs that using "auth_param digest" parameter could at least convert plain-text content into hashes.
