Hello,
First of all, thanks for making this great software!
Since 3.5.0 (6000), when using http proxy with basic auth, the iOS app shows this "Using a Proxy server with basic authentication is not secure!" error.
In my case, the OpenVPN server is located outside of my country. Foreign OpenVPN traffic is blocked on many networks here (domestic traffic is not). I put an http proxy with domestic IP in front of my server, and this works fine for years now. The proxy has basic auth, with just one user for all of my users.
It would be a great inconvenience to ask every my user to go to the settings and change security level to "insecure" as the error suggests. For now, I just tell them "do not update the app".
Some of my concerns:
- Turning insecure mode just for the sake of getting rid of this error hampers "real" security - algorithms used etc.
- I'm not a security expert, but what's so insecure about http proxy with basic auth? Yes, the proxy login/password will be sent cleartext, but how does that affect VPN security?
- I must admit I don't understand what happens when I turn off basic auth in proxy config in the app, and can't find that in the doc. Does it mean no auth at all? If yes, then I could turn off basic auth on my proxy server, but that would mean I now provide a public-accessible proxy, which is something I'm not comfortable with of course.
- If I put the proxy configuration in the client config file itself, then there's no error, everything works fine. That would mean config reissue for all users - that's an annoyance but acceptable, however setting up the proxy in UI is cleaner and more flexible.
Can the introduction of this enforcement be reconsidered? If not, then can it be at least made a server setting (opt-in or opt-out), for cases like mine?
Or are there any other ways to prevent this error, without falling back to "insecure" mode, and requiring every user to do that?
Thanks.
First of all, thanks for making this great software!
Since 3.5.0 (6000), when using http proxy with basic auth, the iOS app shows this "Using a Proxy server with basic authentication is not secure!" error.
In my case, the OpenVPN server is located outside of my country. Foreign OpenVPN traffic is blocked on many networks here (domestic traffic is not). I put an http proxy with domestic IP in front of my server, and this works fine for years now. The proxy has basic auth, with just one user for all of my users.
It would be a great inconvenience to ask every my user to go to the settings and change security level to "insecure" as the error suggests. For now, I just tell them "do not update the app".
Some of my concerns:
- Turning insecure mode just for the sake of getting rid of this error hampers "real" security - algorithms used etc.
- I'm not a security expert, but what's so insecure about http proxy with basic auth? Yes, the proxy login/password will be sent cleartext, but how does that affect VPN security?
- I must admit I don't understand what happens when I turn off basic auth in proxy config in the app, and can't find that in the doc. Does it mean no auth at all? If yes, then I could turn off basic auth on my proxy server, but that would mean I now provide a public-accessible proxy, which is something I'm not comfortable with of course.
- If I put the proxy configuration in the client config file itself, then there's no error, everything works fine. That would mean config reissue for all users - that's an annoyance but acceptable, however setting up the proxy in UI is cleaner and more flexible.
Can the introduction of this enforcement be reconsidered? If not, then can it be at least made a server setting (opt-in or opt-out), for cases like mine?
Or are there any other ways to prevent this error, without falling back to "insecure" mode, and requiring every user to do that?
Thanks.