|
Home > Archive > Anonymous Servers > April 2005 > Not the only compromise..
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Not the only compromise..
|
|
| nobody 2005-04-05, 5:45 pm |
| And what are you going to do about Privoxy spilling your env. variables
on ssl connections? Privoxy, judging from it's own web support page has
enough leaks to be a sieve.
| |
| Thomas J. Boschloo 2005-04-09, 8:45 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
nobody wrote:
> And what are you going to do about Privoxy spilling your env. variables
> on ssl connections? Privoxy, judging from it's own web support page has
> enough leaks to be a sieve.
Proxomitron N4.5 has this info in the readme <http://proxomitron.org/>:
You could perhaps also set an invalid address and port number as your
HTTPS proxy. And you could perhaps use both Privoxy and Proxomitron at
the same time (one chained through the other).
## SSL Support ##
Proxomitron now supports SSL (secure https) connections. This comes in
two flavors - SSLeay mode and pass-thru mode. The HTTP options under
the "settings" dialog control which is used by default.
SSLeay/OpenSSL mode
- -------------------
In this mode Proxomitron decrypt incoming data, filters it, then
re-encrypts it before sending it on. This allows for nearly transparent
filtering and full control over https connections. This feat is
accomplished using the very nice Open Source SSLeay/OpenSSL libraries
(not included - see below).
** WARNING **
This mode is experimental! I would strongly discourage using active
SSL filtering for important transactions such as on-line banking or
purchases.
The connection may not be as secure, and it's better not to risk a
filter potentially creating troubles on such a page. However, since the
casual use of SSL on less important pages is increasing, sometimes you
may wish to filter it anyway. Still, keep in mind that you do so at
your own risk.
To use this mode Proxomitron must have access to "slleay32.dll" and
"libeay32.dll" which contain all the SSL libraries and all cryptographic
routines. Otherwise "Pass-Thru" mode will be used.
Because of all the legal and patent problems involved in the USA
with any program that uses encryption, Proxomitron comes with NO
ENCRYPTION CODE WHATSOEVER. In order to filter SSL connection
you must get a copy of two additional files - "slleay32.dll" and
"libeay32.dll". These files are part of the SSLeay/OpenSSL
library and contain all the needed routines to do SSL encryption
and decryption. In order to work they should be relatively recent
versions (this has recently been updated by me) and must be complied
with all algorithms needed for https. I know it's a pain but it's the
only safe way I know to offer SSL support. Here's a few sources of
working DLL files at the time of this writing...
Shining Light Productions is now offering a Windows compile of OpenSSL
Other Win32 compiles of OpenSSL may work too.
http://www.shininglightpro.com/index.php?treeloc=35
The Off-By-One browser also includes these DLLs in it's zip
file (and is also a small download, under 1 meg).
http://homepagesw.com/images/OffByOne.zip
NOTE: If anyone wishes to mirror these files and is located
somewhere legally able to do so please let me know.
OpenSSL is developed by the OpenSSL Project for use in the
OpenSSL Toolkit. (http://www.OpenSSL.org/) which includes
cryptographic software written by Eric Young (eay@cryptsoft.com).
and includes software written by Tim Hudson (tjh@cryptsoft.com).
(See openssl.txt for the full license)
Server Certificates And Such
- ----------------------------
There are some other limitations to SSL filtering. In order for
Proxomitron to act as a SSL server it must have a "certificate".
Certificates are used by web servers to identify themselves to your web
browser. They must be digitally "signed" by a known company like
VeriSign or your browser will generate a warning.
Proxomitron's certificate is located in the "proxcert.pem" file. It's
a self-signed certificate created using SSLeay (if you're familiar
with SSLeay you could create a certificate of your own). As such it
should *not* be considered secure. However it's only used for the
connection between Proxomitron and your web browser - the connection
between Proxomitron and the remote site relies on the site's certificate
not Proxomitron's. Normally the local connection to your browser never
passes outside your PC, so its security isn't really an issue. In fact,
the only reason to encrypt it at all is to make your browser think it's
connecting directly to a secure site.
This does have a few drawbacks though. When you first visit a secure
site being filtered through Proxomitron, your browser will usually
issue a warning. This happens for two reasons. First Proxomitron's
certificate won't initially be recognized by your browser (normally
you'll be allowed to add it though). Secondly, Proxomitron's
certificate will not match the name of the site your visiting (since
it can't know that ahead of time).
Unfortunately (or perhaps fortunately) these warning are unavoidable
since SSL was intentionally designed to prevent an intermediary from
secretly intercepting your data. Proxomitron *is* intercepting your
data, but under your control.
One way around this is to use a sort of "half-SSL" technique.
Proxomitron lets you specify in a normal non-secure "http://" URL that
you want to make a SSL connection to the actual web server - just write
the URL like so...
Original: https://some.secure.site.com/
New : http://https..some.secure.site.com/
Change the protocol back to "http://" then add "https.." to the front of
the hostname. This make it so the connection between your browser and
Proxomitron is not encrypted but the connection from Proxomitron to the
final server is! Since the local connection to Proxomitron is usually
confined to your PC alone, this is really no less secure. However your
browser thinks it's got a normal insecure connection and won't do any
certificate checks. This can also be used to access secure pages from
browsers that may not have https support at all.
NEW: Proxomitron now can check to make sure the certificate on the
remote server is valid. It looks for a file named "certs.pem" in
the Proxomitron base folder. If found, this file should contain
a list of trusted certificate authorities in the PEM format used
by OpenSSL.
Proxomitron will pop-up it's own certificate warning dialog if
the SSL site's certificate has problems or can't be matched to
one of the trusted certificates on file.
By default a list of some of the more common authorities is included
(VeriSign, Thawte, and the like). A more complete file can be extracted
from the database IE uses. It's possible to use OpenSSL to convert
these into the PEM format used by OpenSSL.
First extract the ones to convert...
* Under the control panel go to...
Internet Options->Content->Certificates
* Go to the "Trusted Root certification Authorities" tab
* Select "Advanced"
* Check *only* "Server Authentication"
* "Export Format" should be PCKS #7
* exit back to certificates tab
* Pick <advanced purposes> from the drop-down selector at the top
of the "Certificate manager" tab
* Select all the certificates left in the tab's listbox and click "Export"
* Follow through and select a file to save the certs under
Now convert to PEM...
* Next run OpenSSL with the following command line and cross your fingers...
openssl pkcs7 -inform DER -outform PEM
-in ie-export-filename.p7b
-out certs.pem -print_certs
(note that's all one line - ignore the line breaks)
You should now have an OpenSSL compatible format of IE's cert list!
Keep in mind certificates are just used to help insure your actually
connecting to the site you think you are and not some "spoofed" site.
Whether they actually do this or not is debatable. Many sites
(especially smaller ones) may not be using properly "signed"
certificates, but this doesn't mean your connection is not as encrypted.
Really all it means is they didn't cough up some money for VeriSign's
official stamp of approval.
Likewise, a valid certificate is no guarantee a site won't rip you off -
you must still be careful before trusting a site with sensitive data.
Still, that being said, it's always safer to connect in pass-thru mode
(see below) in cases where security is critical.
Pass-Thru mode
- --------------
This is similar to the support offered by many other proxies. In this
mode SSL data is simply passed to the server without any alteration.
This mode requires no special cytological support as the data is never
decoded.
However this method also gives little benefit except to allow proxy
switching. Proxomitron will always use pass-thru mode when bypassed, and
when the "Use SSLeay" mode is not enabled (or the SSLeay dll files are
not present). This is also the safest mode to use from a security
standpoint, and is the default mode used by Proxomitron.
##
Thomas
- --
"Nothing is true. Everything is permitted" - W.S. Burroughs, Naked Lunch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iQB5AwUBQlf+AwEP2l8iXKAJAQEn2wMfcoDxGGvc
oqfuO0F5CZ3Dr+6pHgpit0WT
rwZ4nhbOk80VQqzWLlBs6mp5ijVFO/v9gE+bprr/wlYrbVCX+VGbB3VWqa34k3S4
XgW2f68JUPoX5iH+bDicz/Sw8cScleD2RqyvAQ==
=x7KA
-----END PGP SIGNATURE-----
| |
|
| wow, an actual intelligent reply in APAS. will wonders never cease? ;-)
"Thomas J. Boschloo" <nospam@hccnet.nl.invalid> wrote in
news:4258069d$0$157$3a628fcd@reader2.nntp.hccnet.nl:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> nobody wrote:
>
> Proxomitron N4.5 has this info in the readme
> <http://proxomitron.org/>: You could perhaps also set an invalid
> address and port number as your HTTPS proxy. And you could perhaps use
> both Privoxy and Proxomitron at the same time (one chained through the
> other).
>
<snip due to Newserver limitations>
| |
| Thomas J. Boschloo 2005-04-10, 5:46 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
fred wrote:
> wow, an actual intelligent reply in APAS. will wonders never cease? ;-)
:*) Just my memory actually working for a change ..
<g>,
Thomas
- --
"Nothing is true. Everything is permitted" - W.S. Burroughs, Naked Lunch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iQB5AwUBQlkm3gEP2l8iXKAJAQEpaAMdFA139weS
2OK5ounP89AO6jdpAABsU+B/
DqVs6AzwA1sH/ 3m5vvqAA2rB2m+4932tSGmIKWvtO6XbhRuo1QcOB
SQvZ3+GgVhw
/LMDv6bAw28l+ofHUICy9WkB6ywMTxuNklnBOQ==
=kfrM
-----END PGP SIGNATURE-----
|
|
|
|
|