Is `insecure_basic_auth` error expected when using HTTP proxy with HTTPS destination?

[lukasz-lapczyk]

Issue

I'm getting this error after upgrading to hackney 1.24.1 when using HTTPoison in Elixir:

{:insecure_basic_auth, "Basic authentication over HTTP is insecure..."}

Setup

options = [
  proxy: {"proxy.example.com", 8080},
  proxy_auth: {"proxy_user", "proxy_pass"},
  hackney: [basic_auth: {"api_user", "api_pass"}]
]

HTTPoison.post("https://api.secure-service.com/endpoint", body, headers, options)

• hackney: 1.24.1
• httpoison: 1.8.2

Question

Is this error expected? My understanding is:

• HTTP connection to proxy only carries CONNECT commands (no sensitive data)
• Actual API credentials are sent over HTTPS to the final destination
• This is standard enterprise proxy architecture

Current Workaround

Adding hackney: [insecure_basic_auth: true] fixes it, but I want to confirm this is the right approach.

[benoitc]

I think it's a general good practice to indeed not use basc auth even internally as it can be easily catched, but maybe we should relax it as I think it can be indeed painful to revisit alll configurations.

[benoitc]

reverted to default behaviour, please upgrade to 1.25.0 if you need to