Security Basics mailing list archives
pHproxy, edited version for more obfuscation
From: "Anton Chekhov" <knowthebird () gmail com>
Date: Sun, 26 Feb 2006 02:29:58 -0500
Hie, I was playing around looking at different proxies. All of the ones I found did not encrypt/use obfuscation (not sure if this is the rite word :-) on the website address when it was first submitted to the proxy. pHproxy (http://ice.citizenlab.org/projects/phproxy/) did xor the text/html before it sent it to the client, and then let them decode it with javascript with their browser. Because it did not obfuscate the url/address when it was posted to the proxy it could still be seen and easily be picked up by someone &/or software listening in. So, anyways I copied some code into their source, and now the address is "encrypted" w/ base64 3 times before it is sent to the server. The three times was just an obscure number, and even thow someone could build a list of keywords that where the base64 of different sites addresses, I thought it would take alot more time (especially if you change it from 3 times to something like 1000, or use some other algorithim) to try and keep up with watching someone. Also, For someone looking to really make it so that someone looking in could not just search for keywords to redflag someones internet connection, you need to go through the source code and change alot of the text. For example: pHproxy Start browsing through this php-based proxy by entering a URL below. , Would be easy to search for. So, all the text like the above needs to be changed, aswell as the text used in the javascript for both the xor, and base64. I posted this because not using obfuscation on the address before it is sent to the server makes the proxy semi useless in the long run in some countries, unless you use https, which is not something all of us can afford &/or want to do. You can find my edited version of the code at: http://rossk.org/ideas/obfuscation.php and a demo at: http://rossk.org/php/html/test/phproxy2.php Sorry for the rant, didn't really know the proper format for posting on the mailing list. --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- pHproxy, edited version for more obfuscation Anton Chekhov (Feb 27)