https proxy [was polipo]
Julie C
julie at h-ck.ca
Mon Aug 23 13:34:19 UTC 2010
On Sat, Aug 21, 2010 at 6:18 PM, grarpamp <grarpamp at gmail.com> wrote:
>
>
> Nothing in the open source field can do so yet afaik.
>
> To do it, a shim needs to be coded and placed between the application and
> Tor.
> user <-> browser <-> [optional tool] <-> shim <-> tor:9050
>
> The shim needs to listen on a proxy port (and or two configurable
> ports (for http and https)) and connect out to the world (or tor) to a
> proxy port (socks) (and or
> two other ports (for http and https or whatever port the input protocol
> used)).
>
> It would pass http unmodified.
> It would break end to end https. If the destination site had an invalid
> cert,
> it would present an invalid self-generated one to the client. If the
> destination
> site had a valid cert, it would present a self-generated and self-signed
> one to
> the client (which had obviously included the shim's root as a trusted
> cert), simply
> to signify to the client as to validity. Identity would be available
> from verbose
> logging in the shim and via an http[s] port on the shim itself.
>
> It could furthermore 'tee' off two output ports from it's bottom and
> receive
> two input ports from it's top. These would be a more general hook into
> 'optional toolchains' located in between the client and server side,
> decoding and shuffling the data stream in and out to a toolset at that
> point.
>
> It should have no 'censoring', caching or other features.. as that is what
> the optional toolsets do best.
>
> Note that 'browser' could be anything that can speak http[s], not
> just FF/MSIE. So 'plugins' are a non option.
>
>
Very interesting idea. I am considering attempting this in an upcoming
practicum term at school starting in January 2011.
I wonder if you could help me a bit further by providing a list of
advantages this shim would/could provide. I can see it could provide some
protection against ssl/ssh mitm attacks. It could better protect the
"browser" (or other app) by moving some of the ssl/tls/cert logic out to an
open source proxy of sorts. It could better protect users against
ssl/tls/cert vulnerabilities in both open source and proprietary apps.
But I confess to not being sufficiently capable yet on this issue, so any
input by any other readers here would be greatly appreciated.
--
Julie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20100823/48828b36/attachment.htm>
More information about the tor-talk
mailing list