David Howe <DaveHowe@gmx.co.uk> wrote:
Not sure if it is what you are asking - but a HTTP proxy doesn't handle the SSL; it simply forwards the packets to the destination site, and forwards the reply back to you; the SSL encryption is handled by your machine and the server (the proxy doesn't touch it) In theory, if your corporate force-included its own root key into your browser, they could generate their own certificates on the fly and have it work transparently - but checking who issued the cert would show that up.
Doing this would violate the HTTP CONNECT semantics described in the IETF Internet-Draft "Tunneling TCP based protocols through Web proxy servers" by Ari Luotonen. Not that that's stopping anyone. I've written a perl module, Net::HTTPTunnel, that allows you to make a CONNECT tunnel through an HTTP proxy and treat it as a normal socket object (it's very simple---it just handles talking to the proxy server and returns an IO::Socket::INET object). It's available on CPAN. Note that most proxy servers are configured to allow CONNECTs only to port 443 (https) and 563 (snews). Of course, all you have to do to get around this is run an ssh server on port 443 or port 563 on a machine you control that lives outside the firewall. Using the above-mentioned perl module, have a program listening for connections on your machine inside the firewall which will, upon receiving a connection, establish a CONNECT tunnel and forward packets in both directions. Now all you do is ssh to that port on your local machine and tunnel any other protocols you want through the ssh connection (for example, run squid on the machine outside the firewall and forward a local port to the squid server across the SSH tunnel if you wish to conceal your at-work browsing habits). I'm using just such a tunnel to write this email. Of course, there are lots of ways to make tunnels. A good friend of mine used to tunnel through his high school's firewall using a program he tossed off that would get the data back and forth through the firewall in HTTP POSTs. Sure, it's more complicated, but when his school turned off CONNECTs to prevent the method described above, he took it personally. I think there's even a program out there that creates a (very high latency!) tunnel using email. -- Riad Wahby rsw@jfet.org MIT VI-2/A 2002