Penetration Testing mailing list archives
Re: Netcat through Squid HTTP Proxy
From: Christoph Puppe <puppe () hisolutions com>
Date: Tue, 17 May 2005 15:34:16 +0200
Henderson, Dennis K. schrieb:
It seems like he was looking for information on how to prevent this.
The most thorough way to prevent proxy abuses, that use the CONNECT feature to simulate valid HTTPS traffic, is breaking up all this connections, decrypted and have them scrutinized with your normal content security tool. The Proxy acts like a man in the middle attacker, it get's the HTTPS connection, produces a certificate that matches the site beeing requested and presents this to the client. The client agrees on a session-key with the proxy and starts sending requests. The proxy pipes this requests through some logic to determine if this is an OK request, most firewalls and CS-Tools will do this for you. Then the proxy opens a new connection to the site requested, checks the certificate and sends the requests. The results are processed likewise. Sounds complicated? It's a little more challenging than a simple proxy and the clients all need to have a new Root-CA-Certificate, that is used by the proxy to sign the fake-certificates. Works fine. Keeps the tunnels closed _and_ you get content security for https connections. No more viruses from Web-Mail accounts that use https. Of course, setting the firewall so, that the proxy may only connect to 80,443,8080 and other well known http/s ports should be done. Monitoring logfiles is a good idea as well. -- Mit freundlichen Grüßen Christoph Puppe Security Consultant We secure your business.(TM) _______________________________________________________ HiSolutions AG Phone: +49 30 533289-0 Bouchéstrasse 12 Fax: +49 30 533289-99 D-12435 Berlin Internet: http://www.hisolutions.com _______________________________________________________
Current thread:
- Re: Netcat through Squid HTTP Proxy Christoph Puppe (May 17)
- Re: Netcat through Squid HTTP Proxy Joachim Schipper (May 18)
- Re: Netcat through Squid HTTP Proxy Rogan Dawes (May 18)
- Re: Netcat through Squid HTTP Proxy Joachim Schipper (May 18)