${log.root}/lowem.log
Inflation, Investing and Everything


All | Energy | Java | Tech | Musings | Env | Biz

AddThis Feed Button
20050415 Friday April 15, 2005

HTTP tunnelling

From time to time, somebody, maybe a friend, or FOAF (friend-of-a-friend) might ask me about accessing some Internet service from behind a firewall. Most likely it'll be a corporate firewall, or perhaps it may be one that's installed at some educational institution.

Most of the time, I will tell them something like, "this is one of the Dark Arts of Networking - it's not easy, it might not work, and it might be frowned upon." Furthermore, it's a good chance they're not uber-geeks and have no idea of the "issues involved".

One of the best articles out there regarding this topic has a rather catchy title (for uber-geeks, that is) : "Punching holes into firewalls". Alternatively, the author has titled it "Why firewalls shouldn't be considered a ultimate weapon for network security" and "Secure TCP-into-HTTP tunnelling guide".

The basic idea is to create a tunnel through a HTTP proxy in which you can stuff TCP packets from your machine behind the firewall to some other server out there - most likely that will be your home PC connected to your broadband cable or ADSL modem, or perhaps if you're more lucky, you have access to a server sitting on a high-bandwidth network that you can use (I did say it is geek territory, didn't I).

The possible issues :

1. HTTP proxy servers weren't meant to transfer generic TCP traffic reliably. The HTTP protocol is meant to serve up web pages to you. You may encounter latency issues, timeouts, and buffering problems.

2. You need a web server that the HTTP proxy server can reach. That means probably a Tomcat or something similar. You don't want to use the default ports, which might be probed, say, ten thousand times a day by hackers, script kiddies, your ISP, the CIA, FBI, or some other agency.

3. You need special server software sitting on this web server that is able to unwrap incoming TCP traffic, re-direct it, and send the return traffic back over the HTTP tunnel. It must have its own special, non-standard protocol.

4. You also need client software that speaks the same protocol. Preferably, it uses the basic HTTP GET or POST commands. Some of the tunnelling software packages out there rely on CONNECT, which isn't so good because some firewalls/proxy servers have the CONNECT command disabled, while others enable it only on the default SSL port 443 (which you also should avoid, due to the probe issue mentioned in #2).

5. For the paranoid (like myself), the TCP traffic had better not be sent in cleartext. Some kind of encryption has to be utilised. Preferably strong encryption, with "lots of bits" (128, 256, etc). What's the point of exerting great effort trying to set up a covert channel with a complicated protocol that works over HTTP proxies if all it takes is a sniffer or packet dump that can uncover everything you're sending? For that, you need the services of something like OpenSSH or Zebedee, but that means yet another layer of complexity. Alternatively, you can use HTTPS and leave it to TLS/SSL to take care of the encryption part.

For the latest practice in "the dark arts of networking", let's say we use the following :

1. An instance of Jakarta Tomcat with SSL set up using a so-called "self-signed certificate". We don't really care about authentication here, we just want to use the AES-128 encryption.

2. A copy of the SOHT (Socket over HTTP Tunneling) client and server. It's a Java open-source project.

3. My patch to SOHT to support HTTPS. SOHT has got a nice protocol but the patch is necessary to a. make HTTPS work, b. ignore certification path errors, c. ignore hostname verification mismatch errors.

Once you have all that, all you need is to set up the port mapping and you're done. Then you can FTP (passively), SCP, SSH, POP, or SMTP all you want.

And if you want to surf securely, (anonymously, secretly, etc.) try installing the Anomic/Yacy HTTP proxy server.

(2005-04-15 23:38:00 SGT) [Java] Permalink Comments [2]

Comments:

Dude, it's easy. Run an SSH server outside of the firewall on port 443. Then use proxytunnel to connect to it through the HTTP proxy (it uses CONNECT just like HTTPS).

Enable the dynamic port forwarding in your SSH client. This will run a SOCKS server locally which will forward all of the traffic through your SSH tunnel.

Configure your web browser, IM client, etc. to use this SOCKS proxy. Done. And, no one can see what you're doing including what web pages you're browsing.

Posted by Bob Lee on April 16, 2005 at 11:30 AM SGT #

I'd like to avoid 443 if possible and use high ports, due to probing.

Yes, I do know about proxytunnel, it's a good one and quite widely used. But there are places where HTTP CONNECT might be disabled, though HTTPS CONNECT might be left alone, for the benefit of those folks who want to access Internet banking at work.

Also, not all client software is able to use SOCKS, which is an additional complication.

Posted by lowem on April 16, 2005 at 11:40 AM SGT #

Post a Comment:

Comments are closed for this entry.




Most popular blog postings on lowem.log :

1. Singapore MRT rail network length to double by 2020
2. 2010 Nissan Leaf electric car specifications : 107hp, 24KWh lithium-ion batteries, 100-mile range
3. Live spot gold price quotes chart on COMEX
4. 2010 Toyota Prius specifications released : 50 mpg, 1.8L, 134hp, Ni-MH, solar roof option
5. AVG Anti-Virus Free Edition 2011 direct download link
6. Real-time live gold and silver price quotes chart on COMEX
7. Singapore electric vehicles : Government agencies EMA and LTA to study EV introduction
8. Book review : Shut Down by William Flynn

Featured articles on lowem.log :

1. Book review : Shut Down by William Flynn
2. Singapore electric cars testing starts with 9 electric vehicles
3. Honda, GS Yuasa JV to make lithium-ion batteries for 2010/2011 Honda Civic Hybrid
4. 2010 Honda Civic Hybrid preliminary specifications released
5. 2010 Honda CR-Z hybrid, 2010 Honda Fit/Jazz hybrid models confirmed
6. 2010 Toyota Prius specifications released : 50 mpg, 1.8L, 134hp, Ni-MH, solar roof option
7. NYMEX crude oil recovers from $32.40 low after 2.2 mbpd OPEC production cut announced
8. Singapore : Nuclear power not ruled out



search
sponsored links



bookmarks

about
my profile
contact me

blogroll
biow/ken/wenn
reviewem
afternote

sites
photo gallery
wiki

quotes
live oil prices
live gold prices

charts
live forex rates
live oil chart
live brent crude chart
live gold chart
live silver chart

historical
crude oil chart
gold chart
silver chart


navigation
decals

Click for Singapore, Singapore Forecast





rss feed for lowem.log

Get Firefox!

powered by
hosted by