Filtering Authentication Credentials

When you use a proxy or VPN server there is a very important security consideration that you should be aware of that is sometimes overlooked.  Any connection should be very careful about how it handles any authentication credentials that are sent using that connection.  For example if you are using a proxy for all your web browsing, you will need to trust that server handling any user names and passwords that you supply to those websites.  Remember the proxy will forward all traffic to the origin server including those user credentials.

The other consideration is specific proxy server authentication credentials which also may be transmitted or passed on especially if the servers are chained.  It is common for proxy credentials to be forwarded as it’s reduces the need to authenticate multiple times against different servers.   In these situations the last proxy server in the chain should filter out the Proxy-Authorization: header if it is present.

One of the dangers is that a malicious server could intercept or capture these authentication credentials especially if they’re being passed in an insecure manner.    Any proxy involved in the route has the potential for intercepting usernames and passwords.  Many people forget this when using random free proxies they find online, they are implicitly trusting these servers and the unknown administrators with any personal details leaked whilst using these connections.  When you consider that often these free servers are merely misconfigured or ‘hacked’ servers it makes using them even more risky.

It is actually a difficult situation particularly with regards to proxies about how to deal with authentication details.  The situation with VPNs are slightly more straightforward, the details are protected during the majority of the transmission because most VPNs are encrypted.  However that last step to the target server will rely on any in built in security to the connection, although this can be effected as in this article – BBC block VPN connection.

Any server can filter out and protect authentication credentials but obviously those intended for the target can’t be removed.  It is a real risk and does highlight one of the important security considerations of using any intermediate server such as a proxy.    It is important that these servers are in themselves secure and do not introduce additional security risks into the connection.  Sending credentials particularly over a normal HTTP session are already potentially insecure without a badly configured or administered proxy server as well.

Most websites which accept usernames now at least use something like SSL to protect credentials.  However although VPN sessions will transport these connections effectively many proxies are unable to support the tunneling of SSL connections properly.  Man in the middle attacks are also common against these sort of protections and using a poorly configured proxy makes this much easier than a direct connection.  Ultimately there are several points where web security and protecting the data is a concern, it’s best to ensure that a VPN or proxy doesn’t introduce additional security risks into the connection though.

Additional Reading on UK VPN Trial