On 10 October 2013 20:12, sanga collins <[email protected]> wrote: > If you were able to SSH out we would just Hire you into the IT dept. you > would be way too over-qualified for the receptionist job. :)
Also an admirable attitude! :) On 11 October 2013 07:10, Peter C. Ndikuwera <[email protected]> wrote: > Good old 80 & 443 can work as well for ssh tunneling - though not great > options. Really? Why not? 443 is a great option if you need to fend your way through a firewall, since you'd have a hard time separating HTTPS and SSH traffic even with deep packet inspection. Not impossible, mind you; if I would be dealt the assignment to sniff and inspect traffic on a corporate network, assuming all the client workstations are the property of the corporation and that I would ever stoop so low, I would simply install a home-brew root CA certificate on the client computers, then install a transparent proxy server on the firewall. I would then, with the home-brew CA as, well, CA, have appropriate certificates dynamically generated according to the responses I get from the relayed requests to the target hosts. And there you go. HTTPS: defeated. This is, by the way, why I don't trust HTTPS to protect my privacy when I'm using a computer I don't control. And on my own computers, I still remain slightly wary. HTTPS is fundamentally flawed, in that it only takes one CA gone rogue (or, in my scenario above, one roguish root certificate added to the client) to render the security useless. This is also why I never ever would install connection software from an Internet service provider. If the state of a country would decide to have all Internet traffic intercepted at the country border, or the IXP, or some other point where they can easily do so, and they would like to have a look at all the HTTPS traffic as well, they could just go to all ISPs and demand that they ship their 3G/4G modems with this root certificate, installing it along with the connection software. They wouldn't even have to say why; they could pass it off as "the new root CA for government web sites" or similar. _______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
