Firewall Wizards mailing list archives
Re: httptunnel
From: Wyllys Ingersoll <wyllys () reston wcom net>
Date: Thu, 25 Mar 1999 08:21:15 -0500
On Wed, Mar 24, 1999 at 11:26:28AM -0500, youngk () ttc com wrote:
We currently do not use proxy authentication for HTTP requests which originate internally. May change that. I presume that that could help thwart a covert trojan program trying to get out w/ HTTP. Thoughts?Simple... just have the trojan horse wait a couple of seconds after Netscape/IE is opened. By that time, the user would have authenticated with the firewall. Since most people have a time window before they have to re-authenticate, the trojan horse would be able to run during this time. Even single-use password systems would be vulnerable due to that time frame.
I dont think this is correct. When a proxy requests "proxy authentication" credentials from a client, that client will send the authentication header to the proxy with every single request it sends from that point on (or until the user changes the proxy settings). Waiting a couple of seconds and then trying to send an unauthenticated request will just make the proxy ask for it again, it will not pass it through.
Only firewalls which authenticate every time you retrieve a file from outside the domain which you authenticated against would be safe. However, I think that due to the fact that many web pages now have links to graphics on advertisement networks (which would cause you to re-authenticate several times as it downloads the different graphics), very few people have this kind of setup.
Any firewall or non-firewall proxy that does true HTTP Proxy-Authentication will require the "Proxy-Authorization:" header field be in every request, that is how it is defined by the HTTP RFC. A truly secure proxy should not be caching the credentials and allowing unauthenticated requests to go thru. -- Wyllys Ingersoll UUNET (MCI Worldcom) Reston, VA
Current thread:
- httptunnel Ken Hardy (Mar 23)
- <Possible follow-ups>
- Re: httptunnel Steven M. Bellovin (Mar 24)
- Re: httptunnel youngk (Mar 24)
- Re: httptunnel Wyllys Ingersoll (Mar 25)
- Re: httptunnel John Lines (Mar 26)
- Re: httptunnel Wyllys Ingersoll (Mar 25)