Tunneling through a hostile proxy?
This may have been discussed before, but a Google search has turned up lacking. Given internet access from a private intranet, through an HTTP proxy out of the user's control, is it possible to establish a secure tunnel to an outside server? I'd expect that ordinary SSL connections will secure user <-> proxy and proxy <-> server separately, with the proxy able to observe cleartext. Could an SSH connection be made under these conditions? Pointers appreciated, thanks. -- Roy M. Silvernail Proprietor, scytale.com roy@scytale.com
Given internet access from a private intranet, through an HTTP proxy out of the user's control, is it possible to establish a secure tunnel to an outside server? I'd expect that ordinary SSL connections will secure user <-> proxy and proxy <-> server separately, with the proxy able to observe cleartext. Could an SSH connection be made under these conditions? Not sure if it is what you are asking - but a HTTP proxy doesn't handle
Roy M. Silvernail <roy@scytale.com> was seen to declaim: the SSL; it simply forwards the packets to the destination site, and forwards the reply back to you; the SSL encryption is handled by your machine and the server (the proxy doesn't touch it) In theory, if your corporate force-included its own root key into your browser, they could generate their own certificates on the fly and have it work transparently - but checking who issued the cert would show that up.
David Howe <DaveHowe@gmx.co.uk> wrote:
Not sure if it is what you are asking - but a HTTP proxy doesn't handle the SSL; it simply forwards the packets to the destination site, and forwards the reply back to you; the SSL encryption is handled by your machine and the server (the proxy doesn't touch it) In theory, if your corporate force-included its own root key into your browser, they could generate their own certificates on the fly and have it work transparently - but checking who issued the cert would show that up.
Doing this would violate the HTTP CONNECT semantics described in the IETF Internet-Draft "Tunneling TCP based protocols through Web proxy servers" by Ari Luotonen. Not that that's stopping anyone. I've written a perl module, Net::HTTPTunnel, that allows you to make a CONNECT tunnel through an HTTP proxy and treat it as a normal socket object (it's very simple---it just handles talking to the proxy server and returns an IO::Socket::INET object). It's available on CPAN. Note that most proxy servers are configured to allow CONNECTs only to port 443 (https) and 563 (snews). Of course, all you have to do to get around this is run an ssh server on port 443 or port 563 on a machine you control that lives outside the firewall. Using the above-mentioned perl module, have a program listening for connections on your machine inside the firewall which will, upon receiving a connection, establish a CONNECT tunnel and forward packets in both directions. Now all you do is ssh to that port on your local machine and tunnel any other protocols you want through the ssh connection (for example, run squid on the machine outside the firewall and forward a local port to the squid server across the SSH tunnel if you wish to conceal your at-work browsing habits). I'm using just such a tunnel to write this email. Of course, there are lots of ways to make tunnels. A good friend of mine used to tunnel through his high school's firewall using a program he tossed off that would get the data back and forth through the firewall in HTTP POSTs. Sure, it's more complicated, but when his school turned off CONNECTs to prevent the method described above, he took it personally. I think there's even a program out there that creates a (very high latency!) tunnel using email. -- Riad Wahby rsw@jfet.org MIT VI-2/A 2002
Take a look at http://www.htthost.com This allows you to tunnel through a proxy using HTTP and arrive at an external tunnel server. The tunnel link through the proxy can be encrypted using a static symmetric key (no SSL). The tunnel server can be running on a machine over which you have control on the outside of the proxy zone. I'm assuming that you want to do what I am doing (that is to keep whatever I am doing from the proxy log files) so a symmetric key would do you and will save on the key set up. The system is free, but is only suitable for Windows boxes. Hope this helps. At 08:01 23.07.2002 -0500, you wrote:
This may have been discussed before, but a Google search has turned up lacking.
Given internet access from a private intranet, through an HTTP proxy out of the user's control, is it possible to establish a secure tunnel to an outside server? I'd expect that ordinary SSL connections will secure user <-> proxy and proxy <-> server separately, with the proxy able to observe cleartext. Could an SSH connection be made under these conditions?
Pointers appreciated, thanks. -- Roy M. Silvernail Proprietor, scytale.com roy@scytale.com
separately, with the proxy able to observe cleartext. Could an SSH connection be made under these conditions?
SSH java applets exist: http://www.appgate.com/ag.asp?template=products&level1=product_mindterm http://javassh.org/ Therefore, you could simply publish the java ssh client of your choice on an off-site web server of your choice, then hit that web server from behind your proxy using HTTPS (on the standard port 443) using IE or Netscape, etc., and accomplish your goal. No tunneling needed - just plain old https traffic. The ssh traffic flows only between the off-site web server publishing the applet and the host you direct it to ssh into. ----- John Kozubik - john@kozubik.com - http://www.kozubik.com
John Kozubik <john@kozubik.com> was seen to declaim:
SSH java applets exist:
http://javassh.org/ And indeed are very useful - but I think you miss the whole point of a java applet. the applet downloads to (and runs on) the local pc,
http://www.appgate.com/ag.asp?template=products&level1=product_mindterm therefore the SSH connection will be outbound from the local pc - and no better than just running up a copy of puTTY, but with half the features.
participants (5)
-
David Howe
-
John Kozubik
-
List Feed
-
Riad S. Wahby
-
Roy M. Silvernail