Tingletongue

Ssl?

11 posts in this topic

Any chance of getting SSL encryption for PN (both board and site)? Probably represents an outlay of ~£20 for a cert (may even be free from some hosting providers) and a small increase in CPU load, but the benefit is that all the rather sensitive traffic on here will be unreadable to those evil monitoring ISPs, corporate traffic filters, and PN would be safe to use from public wifi and mobile networks with fear of session hijacking etc (google 'firesheep' for more about that)...

I can help if needed.

Share this post


Link to post
Share on other sites

Any chance of getting SSL encryption for PN (both board and site)? Probably represents an outlay of ~£20 for a cert (may even be free from some hosting providers) and a small increase in CPU load, but the benefit is that all the rather sensitive traffic on here will be unreadable to those evil monitoring ISPs, corporate traffic filters, and PN would be safe to use from public wifi and mobile networks with fear of session hijacking etc (google 'firesheep' for more about that)...

I can help if needed.

I've highlighted your post to Galahad. :)

Share this post


Link to post
Share on other sites

Bad idea to encrypt the traffic as this is a public forum board. No such forums on the Internet is secured over SSL. If proxies want to block any website, all they need is the domain name (punternet.com) or the IP address...

Share this post


Link to post
Share on other sites

I just looked into the website and seems it exploits the common way of maintaining anonymity, route the traffic through different other nodes before reaching the destination. There's 99% probability that all of these nodes will be inaccessible within the corporate network or to be specific the port# that this software uses to route the traffic will be blocked. If you use a proxy server website (like kproxy.com or hidemyass.com) that isn't blocked by your company, you will get spotted sooner or later. There's now way of getting around or hiding your ass behind a corporate network.

Edited by ITSMEJACK

Share this post


Link to post
Share on other sites

Bad idea to encrypt the traffic as this is a public forum board. No such forums on the Internet is secured over SSL. If proxies want to block any website, all they need is the domain name (punternet.com) or the IP address...

The vast majority of filters on corporate proxies rely on content matching. With SSL they would lose that ability entirely, and have no way of telling your traffic isn't for a bank, amazon, HMRC, lexis etc. Proxies can block by IP regardless of whether SSL is being used. SSL is extremely common, even for forums (for example google groups) and as far as I'm concerned has no downside for the type of application we're talking about. I don't get your objection - you're saying they'd block PN traffic because they couldn't read it, when it's far more likely that they'd block it because they could!?

It's very common for multiple sites to be on one IP, so blocking by IP is a bit blunt and thus less common. If you can maintain your own hosts file you can avoid public DNS lookups, then the only way they can tell what you're looking at is a reverse lookup on the IP, and in the case of PN, that's not defined as it has no reverse record and leads to a generic US-based hosting company.

Tor is a cool idea, but you'd still want your traffic over it to be encrypted since the tor network itself is not secured (anyone can set up as a tor node and read the traffic).

To get out of a corporate network I'd probably set up an ssh tunnel to one of my servers on port 80 and run a remote browser over X.

Share this post


Link to post
Share on other sites

The vast majority of filters on corporate proxies rely on content matching. With SSL they would lose that ability entirely, and have no way of telling your traffic isn't for a bank, amazon, HMRC, lexis etc.

Even with HTTPS, the header information is still visible to the proxy server, meaning the network admin can still see the destination though not the message content.

SSL by theory is a secured connection between the HTTPS server the requesting client, but most company proxies do have something called SSL proxying or man-in-the-middle. The proxy will actually generate a self signed certificate and when you the client tries to connect to an HTTPS webserver on the Internet, what you'll receive is the proxy server's certificate instead of the actual HTTPS server's certificate and since the proxie's certificate is not trusted by your browser, your browser will issue a warning message, which many of our members received when the forum was on SSL for a brief moment..In simpler terms, you send out a sealed envelope by post, it reaches the post office, someone opens the envelope, reads the content, then reseals the envelope and posts it to the destination and the receiver looks confused becuase the envelope looks tampered..

Tor is a cool idea, but you'd still want your traffic over it to be encrypted since the tor network itself is not secured (anyone can set up as a tor node and read the traffic). To get out of a corporate network I'd probably set up an ssh tunnel to one of my servers on port 80 and run a remote browser over X.

Tor's virtual network may or may not be encrypted, but at the end of the day the company proxy will not allow any outbound conections that didn't originate from its own server. Setting up an SSH tunnel is worth a try, but not on port 80, becuase then you're doing an HTTP tunneling (HTTPS connection over HTTP) which is also blocked by most proxies. SSH is on port 22. However SSH tunneling is only for advanced users and if caught get ready for the pink slip..There's just no way of getting around with coprorate proxies..

Edited by ITSMEJACK

Share this post


Link to post
Share on other sites

Even with HTTPS, the header information is still visible to the proxy server, meaning the network admin can still see the destination though not the message content.

Not true. Everything in SSL is encrypted after the initial handshake, and that does not include any hostname or http-level info (a fact that causes problems for virtual hosting with SSL). Proxies cannot monitor the content of SSL traffic unless they have a copy of the private key matching the certificate. They may MITM a self-signed cert as you suggest, but then it would break most sites and possibly expose personal, corporate and credit card data, which I'd consider a far more serious problem than allowing the traffic. Schools have the biggest problem with this since they are mandated to block by URL which they can't do unless they block https.

I'd expect the content on PN (unsecured) would be more likely to get you into trouble than using SSL!

As far as PN goes, seems most sensible to just maintain both secure and insecure access routes without forcing either, then it would work for all.

It feels very odd having this kind of conversation on here! Network admin needs more tits!

Share this post


Link to post
Share on other sites

Even with HTTPS, the header information is still visible to the proxy server, meaning the network admin can still see the destination though not the message content.

Sorry - was not thinking straight on that last comment. On proxied HTTPS you can indeed see the target URL in the connect phase.

Share this post


Link to post
Share on other sites

Sorry - was not thinking straight on that last comment. On proxied HTTPS you can indeed see the target URL in the connect phase.

Fair point, but regarding the open connect phase, if you set up a periodic probability port sweep, you can block packet traces/sniffing, plus protect yourself from malicious reverse IP lookups. Regardless, as a minimum, I'd insist on using a level two bastion host or screener gateway before connecting to any website.

It's shocking how lax people are re:security sometimes.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now