Re: basic ssl proxy question
From: Bjorn Randell (Bjorn_at_AlphaMale.me.uk)
Date: 06/21/03
- Next message: David Means: "Re: raw 0 0 0.0.0.0:6 0.0.0.0:* 7"
- Previous message: Don Kelloway: "Re: Best Kept Secrets- to Don"
- In reply to: Fred Holm: "basic ssl proxy question"
- Next in thread: Fred Holm: "Re: basic ssl proxy question"
- Reply: Fred Holm: "Re: basic ssl proxy question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 21 Jun 2003 18:00:06 +0100
"Fred Holm" <noanswersbymailplease@hotmail.com.invalid> wrote in message
news:xF_Ia.16$S32.35811@news.uswest.net...
> In the past, I had thought, using an ssl proxy for a program which
> normally is used without proxy would ensure encryption and anonymity,
> but maybe, this is complete nonsense, right?
In this case, encryption is only between you and the proxy. Any access
which the proxy sends to the outside world will be unencrypted and
suseptable to classic sniffing techniques.
> To give an example, peer2peer file sharing software, like kazaa:
> 1) without entering a proxy in kazaa's settings, all connections to
> other
> people are direct, so far so bad
> 2) if I enter a socks5 proxy, all connections go through this proxy,
> with
> the result that the other side (p2p partners) don't see my IP; the proxy
> owner, however, sees my IP and all the content transmitted; moreover,
> anyone between me and the socks proxy could sniff the content, right?
>
> and now to
> 3) entering a socks5 proxy in kazaa, but in this new case, a proxy
> running on the own computer (localhost:1080), but which tunnels all
> requests throught to an external ssl proxy.
>
> This can be achieved by using a tool like "socks2http" (for windows) or
> by doing "socksify socksd" under linux. This means, I "socksify" all
> requests coming from my p2p program and tunnel the socksified requests
> to an external ssl proxy somewhere in the world.
I remember setting up something pretty much the same in my old University
accommodation for everyone so they could get there little file sharing progs
to work.
> Does involving such an ssl (connect) proxy mean, the traffic from my
> computer to the ssl proxy is encrypted? Does it even mean, the traffic
> from the ssl proxy to the p2p partner at the other end is encrypted?
1.) The method used to get out to IPs on different ports is achieved using
the SSL CONNECT command, which, AFAIK, involves no encryption whatsoever!
(Use a packet sniffer for complete verification on this one, I'm 99% sure
though that there is no encryption.)
2.) Even if I'm wrong, and it does encrypt the traffic between your socks
server and the proxy, it certainly can't encrypt between the proxy and the
P2P partner your downloading/uploading from/to.
> Or does it mean, there is no encryption at all!? Because the so called
> ssl proxy only passes my requests through - and since there are no
> (browser, or whatever) certificates/public keys exchanged, there CANNOT
> be any kind of encryption or anonymity?
We've establish now that no encryption happens, however, there is a little
more anonymity. That comes from the fact that anyone you download from is
only going to see the IP address of the proxy which is connected to them,
not your IP address. In order to establish your real IP address, it would
be necessary to contact the proxy owner and illicit some kind of help from
them, which is _highly_ unlikely. A police force however might have a heck
of a lot more luck in getting cooperation, from the proxy owner if it's in
the same country as them.
> And now, let's forget the socks proxies, because there are also
> programs, like icq applications, which can directly use an ssl proxy
> (without socksifying the icq application first).
>
> What happens in this case? If I use icq or some other program with an
> ssl proxy, does encryption happen then or not?
I'm pretty sure it's the standard SSL CONNECT command used to access AOL/ICQ
servers, therefore it will be unencrypted between your ICQ client and the
proxy.
> And finally, I hope, I am not wrong in this last scenario:
> When using stunnel between my computer and an external shell account and
> using certificates, is my connection encrypted then?
> Is this comparable to using secure shell tunneling?
I just looked up some stunnel stuff and yeah, it's encrypted. I would
however say, that if you are using stunnel just to connect to a shell on
your shell proivder, that you consider using SSH which is IMO a much better
tool to use for the job. It's also more flexible from what I can gather and
you can negotiate with the server over how you want data encrypted etc. AES
is far more secure than what SSL has to offer.
Anyway, the reason it get's encrypted using the stunnel method is that there
is certificate enchange using the SSL protocol in the normal sense, and then
data is exchanged. With the ICQ or other application that can use a proxy
to get out, it uses the SSL CONNECT method to bounce out, which doesn't
involve certificate exchange, it just allows 'port forwarding' facilities of
a sort.
> Could someone with a deeper knowledge of all this enlighten me? I am
> lost here and tend to think, I believed in illusions of encryption and
> anonymity regarding ssl proxies...
This is kinda one of my topics of interest, so if you've got anymore
questions, shoot! :)
-- Regards, Bjorn Randell Bjorn@AlphaMale.me.uk or ICQ #137732
- Next message: David Means: "Re: raw 0 0 0.0.0.0:6 0.0.0.0:* 7"
- Previous message: Don Kelloway: "Re: Best Kept Secrets- to Don"
- In reply to: Fred Holm: "basic ssl proxy question"
- Next in thread: Fred Holm: "Re: basic ssl proxy question"
- Reply: Fred Holm: "Re: basic ssl proxy question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
