[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: https proxy [was polipo]

On Sat, Aug 21, 2010 at 6:18 PM, grarpamp <grarpamp@xxxxxxxxx> wrote:

Nothing in the open source field can do so yet afaik.

To do it, a shim needs to be coded and placed between the application and Tor.
user <-> browser <-> [optional tool] <-> shim <-> tor:9050

The shim needs to listen on a proxy port (and or two configurable
ports (for http and https)) and connect out to the world (or tor) to a
proxy port (socks) (and or
two other ports (for http and https or whatever port the input protocol used)).

It would pass http unmodified.
It would break end to end https. If the destination site had an invalid cert,
it would present an invalid self-generated one to the client. If the destination
site had a valid cert, it would present a self-generated and self-signed one to
the client (which had obviously included the shim's root as a trusted
cert), simply
to signify to the client as to validity. Identity would be available
from verbose
logging in the shim and via an http[s] port on the shim itself.

It could furthermore 'tee' off two output ports from it's bottom and receive
two input ports from it's top. These would be a more general hook into
'optional toolchains' located in between the client and server side,
decoding and shuffling the data stream in and out to a toolset at that point.

It should have no 'censoring', caching or other features.. as that is what
the optional toolsets do best.

Note that 'browser' could be anything that can speak http[s], not
just FF/MSIE. So 'plugins' are a non option.

Very interesting idea. I am considering attempting this in an upcoming practicum term at school starting in January 2011.Â

I wonder if you could help me a bit further by providing a list of advantages this shim would/could provide. I can see it could provide some protection against ssl/ssh mitm attacks. It could better protect the "browser" (or other app) by moving some of the ssl/tls/cert logic out to an open source proxy of sorts. It could better protect users against ssl/tls/cert vulnerabilities in both open source and proprietary apps.

But I confess to not being sufficiently capable yet on this issue, so any input by any other readers here would be greatly appreciated.