stunnel, cgi-proxies, Tera Term, shell accounts

From: A. Melon (juicy@melontraffickers.com)
Date: 03/26/02 

Date: Tue, 26 Mar 2002 03:09:33 -0800
From: "A. Melon" <juicy@melontraffickers.com>

Here's one for the gurus.

I've been experimenting with trying to setup stunnel and cgi-proxies to facilitate the setup of my own remote proxy and to
be able to access pop3 servers via a SSL link. I have my own W98/NT/Linux systems, but I am trying to get the W98 setup
working, however the higher level theory should be the same for all platforms.

Scenario
--------
The problem is that I want to be able to use POP3 to pick up my email from a remote POP3 server without my ISP being able to
snoop on my connection. The problem is that even though email clients such as OE6 do offer POP3S/SMTPS many email suppliers
do not offer POP3S. In addition, it would be a security compromise if you connected to a POP3S server without a SSL tunnel,
because your ISP (upon an FBI order) could track your a/c by simply contacting the POP3S supplier and by using their
respective IP tracking logs, they can determine which a/c was accessed at a particular precise time, and hence they can find
out who you are! A SSL tunnel is the best option of decreasing such an attack. Enter stunnel and similar tunnelling
techniques. stunnel and ssh will enable me to setup a SSL tunnel between my client and a remote server would be ideal. The
problem is however that stunnel works great if the other end of the tunnel connects to the POP3 server directly, however you
need to install a stunnel server at the other end of the pipe, so obviously as normally one does not have access to the POP3
server this is not possible.

So, to overcome this, you need a shell account to an intermediary server where you setup a stunnel server. So the link is
something like this:

W32|Linux client running QS|OE|Eudora|Pine <-->SSL tunnel (stunnel client)<-->stunnel server (intermediate server) <--data
not encrypted in this link-->final server (POP3)

The problem is that the vast majority of the unix servers (intermediate) offering FREE shell accounts DO NOT ALLOW traffic
to be routed out of their server from your shell a/c unless you pay for the service. The problem with paying for the
service is that you have to disclose your details and hence this is a security risk (see the APAS posting on digi-cash for
more details on this).

Setup Details and Questions
---------------------------
Q1 - I have setup stunnel under W98 and the 1st question is that when you run stunnel -c (client mode) the program runs and
disappears. I have tried placing an entry in ..\RunServices registry key and also created a Task but despite the process
being executed, I do not see it in the Running Tasks list (^-alt-del). Am I missing something, shouldn't I see a stunnel
process running in the task list or do I need to use a WinTop program to see it?

Q2 - What is the use of a Shell Account if you are not allowed to route out of it to another server? OR AM I
misinterpreting this? If I can find a server which will enable me to install stunnel in my Shell Account, do you think it
is feasible to assume that they will let a user have a process such as stunnel run in the background for the duration of
your connection? Does anyone know of a reliable FREE Shell Account service which will enable me to run stunnel?

Q3 - Failing stunnel, is there a way to do the above using ssh (openSSH or Tera Term TTSSH?). Does anyone have any
experience in setting up a SSL tunnel to an intermediary server and then collect mail through it or run ftp through it? As
ftp uses 2 channels for communicating stunnel does not support it, how do they implement ftps then? and how can I achieve
this using open source s/w such as OpenSSL. I am aware of the commercial products.

Q4 - I also wish to be able to surf the web through my stunnel pipe by running http through it. If this is not possible, I thought of setting up a CGI-Proxy (SSL preferably) to facilitate web browsing, essentially this would create my own anonymizer service. Again does anyone have experience with any good CGI-proxies to facilitate anonymous surfing. I am looking into JAP and Delegate proxies. Again, has anyone successfully implemented the latter and can they offer any tips with regards the remote intermidiary Shell Account server setup.

Q5 - On a general note, TTSSH came with a warning that there is a problem with the IDEA cipher when used with their product. See complete details at http://www.kb.cert.org/vuls/id/315308. TTSSH suggest not using the IDEA cipher to overcome this. My question is that when you generate a RSA PGP key using PGP 6.5.8 it specifies that it is IDEA. Could someone clarify for me that if you disable IDEA in TTSSH will you still be able to use your RSA key/certificate? OR am I missing some vital theory?

TIA

Relevant Pages