RE: Tunneling through a hostile proxy?
Roy M. Silvernail[SMTP:roy@scytale.com]
This may have been discussed before, but a Google search has turned up lacking.
Given internet access from a private intranet, through an HTTP proxy out of the user's control, is it possible to establish a secure tunnel to an outside server? I'd expect that ordinary SSL connections will secure user <-> proxy and proxy <-> server separately, with the proxy able to observe cleartext. Could an SSH connection be made under these conditions?
Pointers appreciated, thanks. -- Roy M. Silvernail Proprietor, scytale.com roy@scytale.com
It's been some time since I've worked on proxies, but AFAIK, SSL connections tunnel through proxies already, and the proxy cannot examine the content of the SSL session (though of course, they *can* see where the connection is headed). It's easy to check - go to an SSL protected website, and while viewing the page examine the certificate the site presented you with (click on 'security' in the toolbar in Netscape, or on IE, click Files->Properties->Certificates). If the certificate belongs to the site you're accessing, you're secure from observation by the proxy. (the proxy can't act as a MITM if the cert is from the far end). If you wish to access a website which is not SSL protected, try http://www.megaproxy.com, which will encrypt browsing data between itself and your browser, even for non-SSL sites. All your local proxy can tell is that you are doing something at megaproxy (and megaproxy knows everything). If you're interested in tunneling other protocols than HTTP, things get more complex. Assuming SSL tunneling is allowed you can run other protocols through it if you can set up the software at each end appropriatly. Peter Trei
participants (1)
-
Trei, Peter