[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Web-page based proxy service



On Mon, Jan 17, 2005 at 08:49:24PM +0300, Peter Clark wrote:
> On Monday 17 January 2005 12:08, Wouter Verhelst wrote:
> > Are the things you want to send through the proxy delimited by the
> > network they appear on? e.g., you want traffic for the 'Net to go
> > through the proxy, but want to keep traffic for your local LAN as direct
> > traffic? If so, then transparent proxying should work perfectly for you.
> 
>     No, actually what I want to do is provide a bit of security in a hostile 
> network environment.

Oh.

> Let's say we have a user who wants to check his 
> web-based email (Yahoo, Hotmail, etc.) that doesn't offer SSL, and there's a 
> high possibility that the network is being monitored by Unfriendlies.

What network? The one at the user's end, or one somewhere in between?

If an attacker can't read the traffic between the user and your SSL
proxy, surely he can read the traffic between your SSL proxy and the
remote system? This has the potential of lulling the user in a false
sense of security, which is worse than the original (because users who
think their traffic is secure will be less careful than users who know
it isn't the case)

> The 
> second problem is that said user could potential desire to visit any website 
> where he would be handing over passwords, credit card numbers, etc., so 
> building a "whitelist" of servers, as some have suggested.

That could be a good idea, actually.

> My attempt at a 
> solution is to provide a secure https server that acts as a proxy; all 
> traffic from, say, Hotmail, would be encrypted by the server before being 
> passed on to the user, but at the user's discretion, rather than my direct 
> intervention.
>     However, since my bandwidth is not unlimited, and since there's no point 
> in encrypting _everything_, I don't want everything to go through the server. 
> Several people have mentioned CGIProxy, which almost fits the bill, except 
> that sites that require JavaScript can be problematic.

If you're going to try to apply semi-AI to web pages to determine
whether something needs to come from the proxy or from the original
server, you're /always/ going to have problems.

-- 
         EARTH
     smog  |   bricks
 AIR  --  mud  -- FIRE
soda water |   tequila
         WATER
 -- with thanks to fortune



Reply to: