On Wed, Sep 18, 2002 at 08:42:08PM +0100, Andrew M. Bishop wrote:
> This is really a security feature for system aministrators. Allowing
> HTTPS tunneling to any port will mean that people can bypass WWWOFFLE
> if it is used as a firewall to stop people getting out. All that
> WWWOFFLE does for HTTPS is open a socket connection and pass data in
> both directions. There is no checking on the contents or the URL
> because they are encrypted.
well shouldn't that also be possible with http?
but then, wait,
i was not successfull in streaming realvideo through wwwoffle,
but it works with other proxies...
> I suppose that the easiest change is to remove the restriction unless
> any ssl-allow-port entries are specified.
sounds like a good idea.
as for SSL in general it would be interresting to have wwwoffle actually
present its own certificate to the client to be able to cache SSL.
in general this looks like opening doors for a man-in-the-middle attack,
but users will either trust wwwoffle (as they trust the browser)
or they should be suspicious over the certificate they are being shown.
(which would somehow indicate that it's not the original)
greetings, martin.
--
interrested in doing pike programming, sTeam/caudium/pike/roxen training,
sTeam/caudium/roxen and/or unix system administration anywhere in the world.
--
pike programmer travelling in europe open-steam.org
csl-gmbh.net (www.archlab|(www|db).hb2).tuwien.ac.at
unix bahai.or.at iaeste.(tuwien.ac|or).at
systemadministrator (stuts|black.linux-m68k).org is.(schon.org|root.at)
Martin Bhr http://www.iaeste.or.at/~mbaehr/
