Penetration Testing mailing list archives
Re: Netcat through Squid HTTP Proxy
From: Joachim Schipper <j.schipper () math uu nl>
Date: Wed, 18 May 2005 13:25:49 +0200
On Tue, May 17, 2005 at 03:34:16PM +0200, Christoph Puppe wrote:
Henderson, Dennis K. schrieb:It seems like he was looking for information on how to prevent this.The most thorough way to prevent proxy abuses, that use the CONNECT feature to simulate valid HTTPS traffic, is breaking up all this connections, decrypted and have them scrutinized with your normal content security tool. The Proxy acts like a man in the middle attacker, it get's the HTTPS connection, produces a certificate that matches the site beeing requested and presents this to the client. The client agrees on a session-key with the proxy and starts sending requests. The proxy pipes this requests through some logic to determine if this is an OK request, most firewalls and CS-Tools will do this for you. Then the proxy opens a new connection to the site requested, checks the certificate and sends the requests. The results are processed likewise. Sounds complicated? It's a little more challenging than a simple proxy and the clients all need to have a new Root-CA-Certificate, that is used by the proxy to sign the fake-certificates. Works fine. Keeps the tunnels closed _and_ you get content security for https connections. No more viruses from Web-Mail accounts that use https. Of course, setting the firewall so, that the proxy may only connect to 80,443,8080 and other well known http/s ports should be done. Monitoring logfiles is a good idea as well.
The problem, of course, being that this makes verification of the remote end of the connection impossible as well as compromising privacy for the parties behind the firewall. So this will also make HTTPS less useful for the user. There is a trade off here... Joachim
Attachment:
_bin
Description:
Current thread:
- Re: Netcat through Squid HTTP Proxy Christoph Puppe (May 17)
- Re: Netcat through Squid HTTP Proxy Joachim Schipper (May 18)
- Re: Netcat through Squid HTTP Proxy Rogan Dawes (May 18)
- Re: Netcat through Squid HTTP Proxy Joachim Schipper (May 18)