Re: How does stunnel work?

From: nemo outis (outis_at_erewhon.com)
Date: 06/15/03

• Next message: Walter Roberson: "Re: How does stunnel work?"
• Previous message: Duane Arnold: "Re: New LAN user needs laptop security assistance"
• In reply to: Walter Roberson: "Re: How does stunnel work?"
• Next in thread: Walter Roberson: "Re: How does stunnel work?"
• Reply: Walter Roberson: "Re: How does stunnel work?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 15 Jun 2003 16:09:52 GMT

In article <bchae8$d88$1@canopus.cc.umanitoba.ca>, roberson@ibd.nrc-cnrc.gc.ca (Walter Roberson) wrote:
>In article <010939AE479F35A910111WANGJMS392213@130.133.1.4>,
>Jeffrey Wang <JWang_NOMAIL@microsoft.com> wrote:
>:So, iow, if you don't have a direct ssl or
>:other encrypted session with the remote server, then your isp can
>:log your passwords, etc., correct? I guess the only way to remain
>:anon and encrypted point to point is to use remailers.
>
>In order for your ISP to not be able to log your passwords etc.,
>you need an encryption layer between you and the remote system.
>stunnel cannot be used to set up such a layer to an arbitrary system,
>only to co-operating systems.
>
>If you use an encrypting proxie (e.g., hushmail or others) then
>the part between you and that service will be encrypted (and thus
>difficult to decode at your ISP); the part between that service
>and the final destination would -not- be encrypted, though.
>
>
>On the other hand, if you are concerned about your ISP logging passwords
>and so on, such as they might be required to do under court order,
>then you should also be concerned about the possibility of a
>"man in the middle" attack, where the ISP redirects any particular
>remote destination to their own equipment. And of course, you need
>to consider the possibility that whatever encrypting proxie you choose
>might be recording your traffic. Some of the anonymous remailers are
>controlled by the CIA (or so I have seen in reputable sources), so I'd
>be surprised if all of the encrypting proxies were pure.

Using one of the commercial proxies (I like cotse, but there are
others) with a secure tunnel to it (but not beyond) will give
**total protection** from the local ISP. I do not think that
MTM (e.g., between the ISP and cotse) is at all likely (and would
be, in any case, impossible to do if the remote proxy uses
authentication during session setup as is usual with SSL/TLS).

While it is possible that the remote proxy is a front for the
CIA, etc. I think that danger is overblown. However, protection
is enhanced where the remote proxy is in a different
jurisdiction, since serving of subpoenas, etc. becomes very
cumbersome and slow. I recommend using a foreign proxy where
possible.

For the ultra-paranoid, one can even arrange with a foreign
friend for him to provide an encrypted proxy for you and vice
versa. (It won't completely frustrate a serious LE effort,
although it will slow and complicate it, and it will cause
significant difficulty in proving to whose computer - the
friend's or yours - the packets were really destined. ) On that
same theme, I usually arrange to tunnel out from computers at my
clients' office to my own proxy running on my home machine.
That way I leave nothing decipherable in the company
firewall/proxy system.

In short, I believe your description is factually correct (except
re MTM) but that you overstate the risks.

Regards,

PS Needless to say, using stuff like SSL/TLS is just one
part of a security/prvacy plan which should be integrated and
supported not just with technology, but with the "soft side" such
as threat assessment, operational protocols, etc.

• Next message: Walter Roberson: "Re: How does stunnel work?"
• Previous message: Duane Arnold: "Re: New LAN user needs laptop security assistance"
• In reply to: Walter Roberson: "Re: How does stunnel work?"
• Next in thread: Walter Roberson: "Re: How does stunnel work?"
• Reply: Walter Roberson: "Re: How does stunnel work?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: How does stunnel work? ... In order for your ISP to not be able to log your passwords etc., ... you need an encryption layer between you and the remote system. ... If you use an encrypting proxie ... (comp.security.misc) Re: ISA Rule for Remote Desktop? ... Someone (isp) is probably blocking something and they do not know it. ... I've just had an opportunity to try testing Remote Desktop through RWW from ... attempts being made from the logging interface in ISA to port 4125 when I ... There are three connection ... (microsoft.public.windows.server.sbs) Re: Dynamic IP ... So setup a static IP on the private LAN for the PC you want to remotely ... > since I often access remote computers that behind broadband router using ... >> domain name of my choice to the IP assigned by my ISP. ... (microsoft.public.windowsxp.work_remotely) Re: OWA-IE6 Access denied ... OWA works on port 443. ... you should get a blinking cursor if you run "telnet mail.mycompany.com 443" from a command prompt on the remote client. ... As this happened when you changed ISPs, and OWA still works from other locations, then the ISP should help you resolve it. ... (microsoft.public.windows.server.sbs) Re: not able to connect to the Terminal Server on SBS network ... We have a job site where users get on the net via satellite. ... Everything was fine until the satellite internet ISP was changed - the ... VBScripte: Remote Desktop Disconnected ... (microsoft.public.windows.server.sbs)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint