Tunneling through hostile proxy
Adam Back
adam at cypherspace.org
Tue Jul 23 12:24:26 PDT 2002
On Tue, Jul 23, 2002 at 06:11:04PM +0000, Jason Holt wrote:
> The default behavior for an SSL proxy is to pass the encrypted bytes
> back and forth, allowing you to connect all the way to the other server.
This isn't just the default behavior; it's the only defined behavior
right?
> However, it is possible for the proxy to have its own CA which has
> been added to your browser. Then it acts as a man in the middle and
> pretends to be the remote host to you, and vice versa. In that
> case, it works as you describe, watching the data during its interim
> decryption.
While it's _possible_ to do this, I've never heard of a server hosted
application that advertises that it's doing this. I would think it
would be quite hard to get a CA to issue you a certificate if this is
what you intended to do with it (act as a general MITM on SSL
connections you proxy).
There have been applications which do this locally eg. a no longer
shipped product called SafePassage by c2.net, and achilles a SSL
debugger both of which are local proxies and both of which ask the
user to install a certificate allowing this when they are installed.
The installed certificate is self-signed however, and not issued by a
CA, as it is only valid for that user machine anyway, the user won't
want to buy a cert to authenticate information to their own machine,
it would be less secure to do so, and the user won't want to pay for
this certificate.
> Typically, the proxy would give you generic certificates (like
> "*.com"),
Is there any software actually doing this? (I know wild card certs
are available, but would think a wild card cert on .com would be a
very dangerous thing for a CA to issue, and you'd hope browsers would
be smart enough to reject such certs).
> but it could conceivably generate a certificate for each site you
> visit ("secure.yahoo.com", etc.).
This is what SafePassage et al do.
Adam
More information about the cypherpunks-legacy
mailing list