Re: Tunneling through a hostile proxy?
John Kozubik <[EMAIL PROTECTED]> was seen to declaim: > SSH java applets exist: > http://www.appgate.com/ag.asp?template=products&level1=product_mindterm > http://javassh.org/ And indeed are very useful - but I think you miss the whole point of a java applet. the applet downloads to (and runs on) the local pc, therefore the SSH connection will be outbound from the local pc - and no better than just running up a copy of puTTY, but with half the features.
Re: Tunneling through a hostile proxy?
> separately, with the proxy able to observe cleartext. Could an SSH > connection be made under these conditions? SSH java applets exist: http://www.appgate.com/ag.asp?template=products&level1=product_mindterm http://javassh.org/ Therefore, you could simply publish the java ssh client of your choice on an off-site web server of your choice, then hit that web server from behind your proxy using HTTPS (on the standard port 443) using IE or Netscape, etc., and accomplish your goal. No tunneling needed - just plain old https traffic. The ssh traffic flows only between the off-site web server publishing the applet and the host you direct it to ssh into. - John Kozubik - [EMAIL PROTECTED] - http://www.kozubik.com
Re: Tunneling through a hostile proxy?
David Howe <[EMAIL PROTECTED]> wrote: > Not sure if it is what you are asking - but a HTTP proxy doesn't handle > the SSL; it simply forwards the packets to the destination site, and > forwards the reply back to you; the SSL encryption is handled by your > machine and the server (the proxy doesn't touch it) > In theory, if your corporate force-included its own root key into your > browser, they could generate their own certificates on the fly and have > it work transparently - but checking who issued the cert would show that > up. Doing this would violate the HTTP CONNECT semantics described in the IETF Internet-Draft "Tunneling TCP based protocols through Web proxy servers" by Ari Luotonen. Not that that's stopping anyone. I've written a perl module, Net::HTTPTunnel, that allows you to make a CONNECT tunnel through an HTTP proxy and treat it as a normal socket object (it's very simple---it just handles talking to the proxy server and returns an IO::Socket::INET object). It's available on CPAN. Note that most proxy servers are configured to allow CONNECTs only to port 443 (https) and 563 (snews). Of course, all you have to do to get around this is run an ssh server on port 443 or port 563 on a machine you control that lives outside the firewall. Using the above-mentioned perl module, have a program listening for connections on your machine inside the firewall which will, upon receiving a connection, establish a CONNECT tunnel and forward packets in both directions. Now all you do is ssh to that port on your local machine and tunnel any other protocols you want through the ssh connection (for example, run squid on the machine outside the firewall and forward a local port to the squid server across the SSH tunnel if you wish to conceal your at-work browsing habits). I'm using just such a tunnel to write this email. Of course, there are lots of ways to make tunnels. A good friend of mine used to tunnel through his high school's firewall using a program he tossed off that would get the data back and forth through the firewall in HTTP POSTs. Sure, it's more complicated, but when his school turned off CONNECTs to prevent the method described above, he took it personally. I think there's even a program out there that creates a (very high latency!) tunnel using email. -- Riad Wahby [EMAIL PROTECTED] MIT VI-2/A 2002
Re: CDR: Tunneling through a hostile proxy?
Take a look at http://www.htthost.com This allows you to tunnel through a proxy using HTTP and arrive at an external tunnel server. The tunnel link through the proxy can be encrypted using a static symmetric key (no SSL). The tunnel server can be running on a machine over which you have control on the outside of the proxy zone. I'm assuming that you want to do what I am doing (that is to keep whatever I am doing from the proxy log files) so a symmetric key would do you and will save on the key set up. The system is free, but is only suitable for Windows boxes. Hope this helps. At 08:01 23.07.2002 -0500, you wrote: >This may have been discussed before, but a Google search has >turned up lacking. > >Given internet access from a private intranet, through an HTTP >proxy out of the user's control, is it possible to establish a secure >tunnel to an outside server? I'd expect that ordinary SSL >connections will secure user <-> proxy and proxy <-> server >separately, with the proxy able to observe cleartext. Could an SSH >connection be made under these conditions? > >Pointers appreciated, thanks. >-- >Roy M. Silvernail >Proprietor, scytale.com >[EMAIL PROTECTED]
Re: Tunneling through a hostile proxy?
On Tue, Jul 23, 2002 at 09:42:49AM -0400, Trei, Peter wrote: > If you're interested in tunneling other protocols > than HTTP, things get more complex. Assuming > SSL tunneling is allowed you can run other > protocols through it if you can set up the software > at each end appropriatly. So who's written an IP-over-HTTP(S) library? Reminds me of Ranum's NFS-over-SMTP firewall bypassing proof of concept. BTW Roy, first try ssh on a non-standard non-reserved port. Eric
RE: Tunneling through a hostile proxy?
> Roy M. Silvernail[SMTP:[EMAIL PROTECTED]] > > This may have been discussed before, but a Google search has > turned up lacking. > > Given internet access from a private intranet, through an HTTP > proxy out of the user's control, is it possible to establish a secure > tunnel to an outside server? I'd expect that ordinary SSL > connections will secure user <-> proxy and proxy <-> server > separately, with the proxy able to observe cleartext. Could an SSH > connection be made under these conditions? > > Pointers appreciated, thanks. > -- > Roy M. Silvernail > Proprietor, scytale.com > [EMAIL PROTECTED] > It's been some time since I've worked on proxies, but AFAIK, SSL connections tunnel through proxies already, and the proxy cannot examine the content of the SSL session (though of course, they *can* see where the connection is headed). It's easy to check - go to an SSL protected website, and while viewing the page examine the certificate the site presented you with (click on 'security' in the toolbar in Netscape, or on IE, click Files->Properties->Certificates). If the certificate belongs to the site you're accessing, you're secure from observation by the proxy. (the proxy can't act as a MITM if the cert is from the far end). If you wish to access a website which is not SSL protected, try http://www.megaproxy.com, which will encrypt browsing data between itself and your browser, even for non-SSL sites. All your local proxy can tell is that you are doing something at megaproxy (and megaproxy knows everything). If you're interested in tunneling other protocols than HTTP, things get more complex. Assuming SSL tunneling is allowed you can run other protocols through it if you can set up the software at each end appropriatly. Peter Trei
Re: Tunneling through a hostile proxy?
Roy M. Silvernail <[EMAIL PROTECTED]> was seen to declaim: > Given internet access from a private intranet, through an HTTP > proxy out of the user's control, is it possible to establish a secure > tunnel to an outside server? I'd expect that ordinary SSL > connections will secure user <-> proxy and proxy <-> server > separately, with the proxy able to observe cleartext. Could an SSH > connection be made under these conditions? Not sure if it is what you are asking - but a HTTP proxy doesn't handle the SSL; it simply forwards the packets to the destination site, and forwards the reply back to you; the SSL encryption is handled by your machine and the server (the proxy doesn't touch it) In theory, if your corporate force-included its own root key into your browser, they could generate their own certificates on the fly and have it work transparently - but checking who issued the cert would show that up.
Tunneling through a hostile proxy?
This may have been discussed before, but a Google search has turned up lacking. Given internet access from a private intranet, through an HTTP proxy out of the user's control, is it possible to establish a secure tunnel to an outside server? I'd expect that ordinary SSL connections will secure user <-> proxy and proxy <-> server separately, with the proxy able to observe cleartext. Could an SSH connection be made under these conditions? Pointers appreciated, thanks. -- Roy M. Silvernail Proprietor, scytale.com [EMAIL PROTECTED]