On Thu, Sep 07, 2017 at 11:51:46PM +1000, Erik Christiansen wrote: > On 07.09.17 13:32, Adam Borowski wrote: > > On Thu, Sep 07, 2017 at 09:17:20PM +1000, Erik Christiansen wrote: > > > If our hosts cannot be trusted not to phone home to folk wearing dark > > > glasses, then would it not suffice to employ a simple embedded host with > > > a small die, such as an ARM, e.g. Beaglebone Black, as a firewall? > > > > It's not hard to trigger a backdoor using a higher level protocol, from > > Javascript, etc. > > But no-one who is awake would enable java or any of that stuff on a firewall. > Back doors on the LAN can't phone home through a minimal-silicon RISC > embedded firewall which is just too small to contain any secondary CPU. > It just needs to run a minimal kernel with packet routing capability. > Everything else is a door into vacuum.
You don't make a separate TCP connection, you put it into a stream the user already has. And no firewall can distinguish a https connection from another, other that the destination (the black glasses guys won't use a .nsa.gov server) or perhaps some flow patterns if you tunnel certain long-lived protocols inside the https connection -- which isn't possible if they use anything that resembles a typical browsing session. Meow! -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢰⠒⠀⣿⡁ Vat kind uf sufficiently advanced technology iz dis!? ⢿⡄⠘⠷⠚⠋⠀ -- Genghis Ht'rok'din ⠈⠳⣄⠀⠀⠀⠀ _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng