On Sat, Jun 27, 2015 at 2:55 PM, Jonathan Bennett <[email protected]>
wrote:
> A couple lines of thought collided today during a conversation with a
> friend who is also an fwknop user. Sending a knock over http is a clever
> feature, and the hidden service idea is really cool. For example, I have a
> web server that also has a cacti service in order to monitor that service.
> However, I don't really want to log into cacti over http, as it would send
> my username and password in the clear.
>
> An https request sends an encrypted url request. Pcap cannot sniff this
> encrypted url. While doing some work on the http support in the android
> client, I observed that an http request (or an https request) will write
> the requested url to the apache access_log file.
>
> So, what if instead of using pcap to sniff incoming connections, we added
> an option to watch an Apache access_log for an http or https request that
> contained a valid SPA string.
>
> The use case would be a hidden service that is accessed entirely over the
> encrypted ssl channel. To anyone watching, all the traffic would look like
> https access to the public web site, but we could send an spa packet and
> access a hidden service all using ssl over port 443.
>
Yes, this would be an excellent addition. There is precedent on the fwknopd
side of things to acquire SPA data via non-pcap means, and the safest right
now - for those that consider linking against libpcap to be a security risk
- is the UDP listener mode. I think reading from a log is another strategy
that is right in line with this since fwknopd would not need to sniff the
wire or listen on a socket. At the same time, it preserves the crypto model
of SPA itself. The "single" part of SPA would not be preserved, but this is
already the case with both the TCP and HTTP sending modes in the client.
For implementation, on the server side, for Apache log reading mode we
should skip linking against libpcap at compile time just as for the UDP
listener mode. For the client, I think we should probably leverage SSL/TLS
via wget (when it supports it) just as for the IP resolution stuff instead
of linking against an SSL library. At least, this would be for the C
client, but other clients could use different strategies. What would be the
right way to do this in your Android client?
Would you like to open an issue on github on the fwknop repository for this
feature? It would be nice to get this maybe even into 2.6.7.
Thanks,
--Mike
>
> --Jonathan
>
>
> ------------------------------------------------------------------------------
> Monitor 25 network devices or servers for free with OpManager!
> OpManager is web-based network management software that monitors
> network devices and physical & virtual servers, alerts via email & sms
> for fault. Monitor 25 devices for free with no restriction. Download now
> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
> _______________________________________________
> Fwknop-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>
>
--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
