Great Circle Associates Firewalls
(February 1998) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: RE: SSL Proxies revisited
From: Joseph Judge <joej @ ultranet . com>
Date: Fri, 6 Feb 1998 21:10:18 -0500
To: "'James Croall'" <jcroall @ foo . org>, "firewalls @ GreatCircle . COM" <firewalls @ GreatCircle . COM>
Reply-to: "joej @ ultranet . com" <joej @ ultranet . com> 

The proxies can't really look at the traffic ... the keys are
client <--> server shared.  The only choice is to restrict ports
(like you mentioned). Yes, the lazy butts out there just plop
their services on socket 443 to get around it.  The, sadly,
reactive mechanism is to put those external sites in a
block list.

	- joe

rant:
lazy butt programmers/companies overloading the
SSL socket.  Yes, I know you can also write a quickie
script to "navigate the telnet proxy into 8-bit mode and
do the 'connect to server A at socket B' and just run
your protocol that way {to get around the firewall} ...
and other "wide open" internal -> external proxies.

Any SSL proxy out there (or in the works) that will
spy on the first communications to see if it *looks*
like the initial SSL handshaking ?

	-- joe


On Friday, February 06, 1998 11:57 AM, James Croall 
[SMTP:jcroall @
 foo .
 org] wrote:
>
> A while back, somebody suggested using the HTTP proxy CONNECT method
> of "SSL proxies" to tunnel arbitrary services. I've started to notice
> that more people are picking up on this, and now AOL even supports
> connection to their network via this type of proxy.
>
> Some administrators prevent users from exploiting this by only
> allowing
> CONNECT's on port 443. This doesn't help the situation too much,
> since
> a lot of secure servers out there are running on alternate ports --
> and
> AOL's services can listen on port 443 now too.
>
> Why aren't these "proxies" actually looking at the SSL traffic? At
> least
> check out the client and server hello messages, make sure they're
> legit.
>
> I've put together some simple patches to Thede Loder's Simple SOCKS
> Daemon to take advantage of these SSL proxies. Assuming your proxy
> has not been configured just so, just run it on a unix host behind
> your
> firewall and you can use SOCKS4 to make TCP connections out to the
> world.
>
> Bye-bye meaningful audit trail.
>
> It works rather nicely with the simple fwtk, Gauntlet, and CERN
> proxies
> that I've tried it with.
>
> 	http://www.foo.org/james/misc/ssockd-ssl.txt
>
Indexed By Date Previous: RE: FW: LINUX FIREWALLS
From: Adam Fenn <Adam . Fenn @ fennco . com>
Next: RE: Sendmail/smap anti-relay measures
From: Joseph Judge <joej @ ultranet . com>
Indexed By Thread Previous: RE: SSL Proxies revisited
From: Vinod Valloppillil <vinodv @ microsoft . com>
Next: Re: SSL Proxies revisited
From: Rahul Dhesi <dhesi @ rahul . net>
Google
 
Search Internet Search www.greatcircle.com