The dangers of HTTPS

Discussion in 'privacy general' started by Paranoid2000, May 6, 2004.

Thread Status:
Not open for further replies.
  1. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Hello, P2K! :)

    I tried installing the HTTPS filtering you suggested. I went to the download site and downloaded the file application "Win32OpenSSL-v0.9.6m.exe", installed it, and checked the appropriate box in Proxo setup. After installation, I didn't see the .dll files in my Proximitron directory, and it's not in the OpenSSL directory the app created either. However, when I went to a secure web site, it was logging lots of data in the log window. I also received a certificate warning, which I understand I was supposed to see. Does this mean it's working correctly?

    I also read a warning that this SSL stuff is being tested, and I should not use this when doing online banking, etc. Do you agree, or is this an old warning?

    Thanks.
     
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Hello again D&C, (we need to stop meeting like this you know...;))

    If the Proxomitron logs show filtering actually taking place (showing the filters applied rather than just the connection details) then that would confirm it. As for testing and use with banking sites, you're more likely to have issues with Proxomitron filters than with the SSL code. You can exempt your bank site from filtering if you wish - but in my view they are an online business and as likely to use advertising or tracking as any other website (so I always filter mine).
     
  3. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    I don't mind meeting like this if you don't. :D


    I think the SSL filter is working correctly. When I hit the bypass button, there are quite a few items listed in the log window when I refresh the web page. But when I enable Proxo, a lot more shows up in the window after a page refresh. So I guess this is good? :doubt:

    I'm not too sure Proxo is really doing much for me. I took a few of the browser security tests, and results were not as I expected.
    1. I failed the Javascript Enabled test
    2. I passed the popup tests, but my browser (NetCaptor) does a pretty good job of blocking those anyway.
    3. Passed Javascript Unload Test
    4. Passes Javascript Homepage Test
    5. Failed Cookies Test
    6. Failed Third-Party Cookie Test
    7. Passed Active-X test
    Not sure which of these Proxo should have helped on, but I'm not used to getting such bad grades...

    Edit: I must also say the BrowserSpy site was able to tell quite a bit about my PC. :( And I am running the Grypen FilterSet as you suggested. Am I doing something wrong? Actually, I was surprised it didn't tell me what type of underwear I was wearing... :D
     
    Last edited by a moderator: Sep 15, 2005
  4. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    The Proxomitron log window shows filters that have matched in purple text - so you should see plenty of purple if Proxomitron is working. As for the browser security tests, you do need to go through the filter list activating the ones you want (the main Javascript blocker in Grypen is Disable: Scripts {10.e.a} which I believe is disabled by default since it can significantly affect webpages).

    If you are new to Proxomitron, then the default filterset is the best place to start and experiment - Grypen/JD5000 offers more power but it takes a while to get to grips with...
     
  5. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Thanks, P2K. Maybe it's possible I didn't install Grypen correctly. I installed the app alright, but have I selected the correct Filterset?


    In the "Config Load-A-Rama!" dialog box, I see Level 1 through 6 config files, in addition to a default and a default-backup. Which should I select? Which one is the Grypen filterset (configuration)?
     
  6. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    The "default" ruleset is what is changed by installing filtersets like Grypen and that is what should be used. You need to go through the filters (Web Page and Headers) and select the exact filters which you wish to use (those activated will be displayed in bold with a tick in front). Levels 1-6 contain the original filters but with more activated at higher levels.
     
  7. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Thanks, P2K. However, whether I'm surfing an SSL site or not, I assumed the reason to use Grypen as opposed to the normal default filter was because Grypen pre-selected what I needed.
     
  8. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Nuh-uh. Filtersets like Grypen and JD5000 offer more specialised filters and finer control (e.g. being able to exclude specific filter groups for problem sites via the User Include-Exclude file) but you have to decide what to use since some filters may make changes you find problematic (e.g. there is one that replaces all images from third-party sites with a link - great for those with slow connections who wish to minimise graphics but likely an irritation for others). Most filters therefore have a score (1-10) to give an idea of how much they affect a page. Newcomers to Proxomitron should stick with the basic filterset (try one of the level1-level6 configs - they have the same filters but higher levels enable more of them).

    In the interest of keeping this thread OT, I'd ask that future Proxomitron questions be made in a separate thread - or a Proxomitron-specific forum.
     
  9. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    How do the dangers of HTTPS relate to an SSH tunneling external proxy like Anonymizer Total Net Shield, COTSE SSH, or FindNot?
    Setting one's browser to run the SSL through the SSH proxy client would prevent the HTTPS connection from connecting directly to your computer.
    Would this not also solve the related dangers? (by protecting your ip during SSL)

    In this situation, how are the SSL certificates handled?
    The HTTPS connection is going through the external proxy, but one does not receive any certificate warnings from the browser, why not?

    From the website to the external proxy, there is an SSL connection.
    Is the SSL connection decrypted at the proxy then reencrypted in a separate SSL connection between the proxy and the browser?
    If the SSL connection is just passed through without the proxy "opening it up" (decrypting) then why doesn't the browser's real IP get passed through to the website?
     
  10. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    If the tunnel uses SSL via a https:// URL (e.g. Anonymiser's free service via their webpage) then only the browser will see the unencrypted traffic rendering any external filtering software useless (i.e. the problem covered in this thread would apply with all web pages accessed through the anonymiser). However if separate proxy client software is used (e.g. JAP, Tor) then external filters will still work (for non-https: pages) provided they are set up correctly (i.e. chained between the browser and the anonymising proxy client).
    If you access https:// pages through an anonymising proxy then two levels of encryption take place - the SSL connection between browser and website and the anonymiser's encryption between its client and server (which may be just one server as with Anonymiser or COTSE or a network of servers like Tor). Neither the browser nor the https:// website will be aware of this extra layer of encryption since it takes place after the traffic leaves the browser and is removed before it reaches the server (and similarly with any response sent back by the server). So SSL certificate handling is unchanged.

    If you use Proxomitron to filter SSL traffic however, the browser makes an SSL connection to Proxomitron which then makes a (separate) SSL connection to the website. The browser will receive Proxomitron's certificate (and will likely pop up a warning since it will not match the website URL) while Proxomitron will receive the website's certificate.
    The SSL connection (for https:// pages) goes from browser to website - it is not decrypted or amended by anonymising proxies. The situation you describe above though is what happens when Proxomitron is used to filter SSL.
    Because SSL connections do not include details of IP addresses - this information is stored within the header of each Internet Protocol (IP) packet sent. The IP packet data field will contain a TCP packet with details of the network connection (connection ID, port numbers, TCP window details) in its header and within the TCP packet data field will be the HTTP headers and the information that SSL uses.
     
  11. tlu

    tlu Guest

    For Firefox: Input about:config and set "security.warn_entering_secure" to "true".
     
  12. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Paranoid2000,

    Thank you for the very clear and easy to understand explanations. :)
     
  13. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thanks Tlu!!
     
  14. tlu

    tlu Guest

    My pleasure! :)

    Aside from this, I'd like to moot the need of Proxomitron for Firefox users. I've been using Proxomitron for quite some time together with the Active Content plugin of Outpost but I've recently replaced both by some excellent Firefox extensions, namelyThe big advantage is that their usage is very convenient - and above all: They also work for https-sites! On the other hand, I don't think that I abandon any security and privacy compared to the situation before.

    Do you agree?
     
  15. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    An interesting point to note - it does make sense that browser extensions would have access to https:// content but thanks for the confirmation.

    As for the pros/cons of Proxomitron, it does offer much finer control over website appearance and can tackle annoyances like blinking/animated text, non-movable frames, cursor/scrollbar changes and removing identifying details from tracking links (URLs with embedded IDs). It can also add useful options (page preview links and different styles in Google searches, Google cache and Internet Archive search options for "Page not found 404" results, toolbars with extra webpage options, etc) so there are non-security benefits too.
     
  16. tlu

    tlu Guest

    P2K, you are right as (nearly ;)) always, and I might rethink my decision to abandon Proxomitron. I just came to a point where I got tired of tinkering with it ... shame on me! :D
     
  17. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Because there are no current exploits that bypass FF extensions, wouldn't Proxomitron be immune to future browser exploits because it is separate from the browser?
     
    Last edited: Nov 12, 2005
  18. tlu

    tlu Guest

    Well, at least you should use a Personal Firewall which is able to control access to localhost (not all PFWs can do this). Otherwise any application could connect to the internet and you'd never notice.
     
  19. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    That's a great point for anyone running any type of local proxy. Thanks.
     
  20. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Another example of user-tracking using HTTPS is Google Analytics. Placing an order at the machinemart.co.uk site results in connections being made to ssl.google-analytics.com at every stage of the ordering process. We're not evil now, are we? ;)
     
  21. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,072
    Location:
    Texas
    The CustomizeGoogle extension for Firefox includes cookies as well as ad removal.
     

    Attached Files:

  22. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    An interesting extension there, Ronjor - thanks for the pointer. Though it seems a little depressing that one site ends up needing a full extension like this for private use.
     
  23. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Another example to report - if you are a UK American Express user who likes to check your statements online, American Express tries to report your activity on every page access to Omniture via americanexpress.122.2o7.net including the web page you were accessing, time/date, your IP address, system/browser details like window size and screen resolution (along with other information I can't identify).
     
  24. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Re Omniture

    New readers or those who may have forgotten about Omniture, may like to refresh on what Paranoid2000 wrote about Omniture in the very first post in this thread. In particular how to block using your Hosts file, which is what i have done. Along with the fact that i also permanetly run Desktop Armor http://www.desktoparmor.com/index.shtml which kills all Web Bugs, amongst providing lots of other security protection etc.


    "However the most widespread user appears to be Paypal. Every site that requests donations via Paypal has an HTTPS link to Paypal's website for their icon. Furthermore, Paypal's home page includes a web-bug triggering another HTTPS connection to Omniture (102.112.2O7.net - note the last O, not a zero) which can include extra information as parameters to the URL like hardware details (like screen resolution) and the account number that you are making a payment to (I have queried this with Paypal but received no proper explanation)."

    Opera users appear to covered in certain ways too.


    StevieO
     
  25. GUI_Tex

    GUI_Tex Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    189
    paypal uses omniture.. 2o7.net


    Whew... that's a relief.. :D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.