missing proxy authentication

[kirsche40]

1) What's going wrong / has to be changed?
Proxy authentication was removed in VBox 4.2.2 for security reasons. Since remove of this feature VBox cannot check for updates nor is it possible to check/force updates over GUI behind a proxy.

2) What did you expect to happen?
VBox uses system proxy setting like all other system applications.

3) What happened instead?
VBox cannot connect to network and shows error message.

4) Any additional information?
This report relates to Ticket #2870.

[Frank Mehnert]

That's not entirely correct. Only the authentication was removed, not the actual proxy settings. If you don't need to authenticate against the proxy then it will still work. The reason for removing the authentication was that storing passwords in a secure manner is a nightmare.

Yes, the correct fix is to use the system proxy settings and to use the system wallet manager. Unfortunately, this is a lot of effort to implement this for all the hosts we support.

[alecn2002]

frank,

This is entirely not correct solution.

Authentication is an essential part of proxy machinery, and removing the authentication possibility means that you've removed proxy support.

The correct solution to not store password insecurely is to ask for password at everry proxy authentication (or at every virtualbox session).

-- WBR, Alexander

[Frank Mehnert]

Alexander, read my previous comment again. Of course I know that storing the password in a securely manner is the correct solution but I also mentioned that this is a nightmare to get it correct on all hosts we support. Feel free to submit patches if you don't agree.

[gsmitheidw]

The correct solution to not store password insecurely is to ask for password at everry proxy authentication (or at every virtualbox session).

Problem there is storing it even in RAM may have to be secured anyway - memory may well be volatile, but for that period it would still be vulnerable to potentially being read by other memory resident applications. So even in RAM it may need encryption depending on the platform etc.

In Windows, however I notice some apps that authenticate within the Windows environment just use IE's settings for the proxy but in addition, once the proxy has been authenticated by any IE session, the access can remain for a time (until some arbitrary timeout period). Generally these are processes that use the Windows IE structures anyway (like Windows Update) but it might save re-inventing the wheel to just make an arbitrary http connection using IE in the background that in turn prompts for authentication and then use that connection to go on and check for and download Virtualbox Updates etc.

For other operating systems it may be possible to reference system environment variables etc. For NTLM authentication, something like CNTLM may be of assistance but for large deployments with egress filtered proxies and certs etc etc, this isn't practical unfortunately.

[Frank Mehnert]

Encryption in RAM is really not necessary. I know that DRAM needs some time to forget its content after the system was powered off but taking advantage of this problem is very difficult and needs special hardware. Other memory-resident applications cannot access the passwords in RAM because there are address space boundaries enforced by the OS kernel.

There is a strict security policy saying that unencrypted/unhashed passwords must not be stored on the hard disk. Using environment variables (like command line parameters) is possible but also not very convenient. Accessing IE structures from VBox is most likely not possible, too complicated and not documented.

[aeichner]

Please reopen if still relevant with a recent VirtualBox release.