Menu
▾
▴
[proxyTools-users] Re: localProxy security, adding user's proxy lists
|
From: wayne <wa...@ny...> - 2002-11-07 23:25:13
|
> From: xxx > Subject: localProxy security, adding user's proxy lists > To: wayne <wa...@ny...> Excerpts from a private email. I thought it was of interest here... [.. a request for me to anonymise this email before posting to this list ..] Warning, I regularly run SP and mergeHosts to hosts.xml on everything I get, so they would appear in hosts.zip sooner or later. Asking me to remember not to do this is unlikely to succeed and is fraught with danger :-) Come to think of it, trusting me to anonymise enough for your tastes is also fraught with danger. I have gone to some lengths answering several questions below, so I will copy the list for those parts of it. [.. adding your own proxies to localProxy ..] > >I suppose the sequence is > > > >1. copy config-UAE-dialup.xml to config-xxx.xml > >2. perl statProxy.pl -t all:-18 -l listOfProxies.txt > results.txt > >3. perl mergeHosts.pl results.txt config-xxx.xml > >4. Restart both GUI and backend LP Exactly... > >5. What config should I select at this point ? xxx. It should be in the list. > I've done this now > -------------------- > > 1. perl statProxy.pl -t all:-18 -l listOfProxies.txt > results.txt > > ...once this was over and the results.txt was created I'm sure you will be happy you waited :-) Next time, run SP on this new config file and merge back to it. > 2. copy config-UAE-dialup.xml to config-xxx.xml > > 3. perl mergeHosts.pl results.txt config-xxx.xml Exactly ... > ----------------- results here --------------------------------- > C:\..\..\...>perl mergeHosts.pl results.txt config-xxx.xml > MergeHosts.pl v4.42 > merging results.txt to config-xxx.xml > (saving original config-xxx.xml in config-xxx.old.xml) > No access to 195.229.106.131:8080 - test done from ACL'd location > Allowing test results anyway - some passed Some proxies are inside the known UAE firewall, yet still accessible from outside. The UAE firewall stops access to most UAE proxies from outside). Normally mergeHosts disallows negative test results for these which are done from outside (to avoid disabling them based on results from a bad testing location), but positive results mean access was ok, so they are allowed. That message doesn't appear in my version. A bug which got fixed, I guess. > No access to 195.229.230.66:8080 - test done from ACL'd location > Allowing test results anyway - some passed Same for this one. [...] > ---------------- end of results --------------------------- > > 4. Restarted GUI -> perl Localproxy.pl from the command line > 5. Selected config xxx ! (sorry for that silly question earlier) > 6. Clicked on "start services" > [...] > Now I configured my browser to "local host" "10080" > > - Have I completed the first set ups ? Yes. Next time you build, make sure it says 'using firewall UAE-dialup' You might need to bump debug up to 3 before starting the back end, to see this. > - How secure is this system ? How do you mean? It disallows connections from elsewhere, by default, so I didn't worry too much about someone feeding it weird characters to attempt buffer overflows. Perl isn't susceptible to that kind of attack anyway. Also the program doesn't execute any data, it just switches it. The regular expression handling may have some odd exploitable bugs, but I haven't seen anything on any security lists like that. Someone *could* spoof your IP address, guess sequence numbers and execute perl code of their choice by making out they are the GUI controller, but this is extremely difficult to do. Things get less secure when LP back end is running on a different host than the controller. Then you need to connect asap, or someone else might beat you to it and become the 'master' :-) But you (and all users I know of), are not doing this anyway. > can my administrator know the sites I > visit ? He owns the wire, so the only way to get stuff past a good admin is to encrypt. The only way you can do that is if there's something at the other end to decrypt. LP was designed to require nothing outside (specifically, no shell account required), so there's nothing built in to handle encryption. You can still pass encrypted data through it though. I do this all the time using ssh. See the User1 config for an LP service (10022) which sets up a tunnel out through a firewall. Then: ssh -p 10022 -L port0:proxy:port1 -D LPHost will log you into the remote ssh service and allow port forwarding through the same encrypted tunnel, as well as providing a neat Socks(4) proxy on localhost for Socks capable (or socksifiable) apps. All encrypted. The only thing the smartest admin could see was that you made a connection to that remote ssh service. And most of them are nowhere near that smart :-) Beware of your browser's cache, history, recent documents etc. though. A quick look at your computer would reveal all. > - Can my ISP know the sites I visit ? Yes. But mostly only if they sniff their network. Most do not do this except maybe when they have a network problem. Many have a policy stating they may not do this :-) Network sniffing will reveal *everything* except encrypted data. One exception is commStrat 2. This tries to use the ISP proxies by encoding URLs in a way the web site will still understand, but which the proxy does not understand. The various encoding methods are therefore easy to interpret by a knowledgable admin looking at his proxy logs. CommStrat 1 is also (just conceivably) in those logs. Certainly the initial CONNECT is there, but most logs would not show any more than that. Turn commStrat 2 off if this worries you. It's usually fast, but not reliable anyway. It's there because sometimes it's the only way for some people. I use it because it's fast, and I know how to handle it's sometimes strange responses. > - can I use hotmail or other web based mail ? .. when I try hotmail, I > get a message stating "the document contains no data" Hmm ... if your proxies can't handle webDAV, you can't do that. SP test 12 tests for that, and there is a service provided by LP which selects that type of proxy for this use. You have two approaches once you include this service in your config and start LP: 1) Change your browser proxy to use the LP service port (10077 by default). Then back for normal browsing preferably. or 2) Change your browser to use an automatic proxy config from LP port 10079 (default again). then the browser gets directed to localhost:10079 for hotmail stuff, and to 10080 for normal web browsing stuff. This is how I use it, but again noone else does this that I know of. Browsers are all very stupid when it comes to using these proxy.pac things, so there are often inexplicable things happening requiring browser shutdown/restart etc. unless you know how to fix it. Mozilla is better at this now, but was terrible in earlier versions. IE was always bad, and I think is no better now (don't use it much though). [...] > Best Regards > > xxx -- wa...@ny... http://proxytools.sourceforge.net/ |
