The dangers of HTTPS

You seemed to answer it yourself. The answer is almost surely no, but since I don't use IE I cannot confirm this. You however can try installing a program like Privoxy which, aside from filtering traffic, will also list all the URLs your browser visits, include HTTPS ones. Your firewall logs may also include this information.

For a test, try visiting this PCWorld webpage, it includes a webbug triggering an encrypted connection to pcworld.rpts.net so see if you spot it.

 

Also, if you make a rule in your firewall rule set to permit your trusted HTTPS addresses via port 443, then all other attempts via that port will bring up an alert/prompt. That's how I know when attempts are made to connect to Paypal.

---
Rmus

 

I just tried this and the webbug triggering attempt was blocked by my firewall final "block all rule":

----------------
26/Apr/2005 23:22:56 Deny All Remaining Protocols <> Any blocked; Out TCP; localhost:1633->eqvarptsadvip1.doubleclick.net [216.73.87.30:443]; Owner: F:\OPERA\OPERA.EXE
------------------

(You would think pcworld.rpts.net is part of pcworld, but is really an ad server for doubleclick.net)

I think if your firewall rule set is properly configured, you can control what you want permitted to go out.

---
Rmus

 

Your right Paranoid, it doesn't work. Is the only way to trigger such a connection through a web bug? Cuz if it is would'nt Web Washer remove this threat? (I know you praise Proxomitron but it's too complicated for me to use).

 

Tracking can be done via any web page element that includes an address (e.g. link, image, background, sound), not just a web bug and could be hidden within a Javascript command. I'm pretty sure that WebWasher cannot filter HTTPS so would be of no use here.

Filtering with a firewall is one approach since you could set up specific rules to allow traffic to HTTPS sites you use (e.g. site login pages, online banks) while prompting for anything else but a typical transaction to a new site may involve several connections (and therefore several prompts).

If you find Proxomitron is really too hard (the default filters should be straightforward enough) then using (and configuring as per the first post) Opera would seem the simplest solution. If anyone knows of a method of getting the same results with IE or Firefox, please post the details here.

 

Refresh my memory, which firewall can do that? Also, do you mean that Proxomitron should be ok for most people in the default configuration? Is that right? I tried using those two dlls once but to no avail.

That server mentioned (pcworld.rpts.net) seems to resolve to something.doubleclick.net so if you had the ads blocklist in Protowall you could potentially guard yourself using any browser, it would however, make the browser hang slowing even a broadband connection. Right? I don't think either Firefox or IE would have any option to guard against this threat.

BTW Web Washer CAN filter web bugs which is why I was asking if that is the only way to trigger an HTTPS connection such as the test outlined in your post.

 

Any firewall which allows you to specify that you should be prompted for a specific traffic type can be used to alert you to HTTPS site access. The benefit of using Proxomitron is that it can prevent such links from setting cookies or picking up system/browser/referer information - you can check whether this is happening or not by viewing its log window (as noted in the first post in this thread, you do need to configure it to filter HTTPS also).

Protowall filters by IP address so you would have to have the exact domain name (e.g. ad.uk.doubleclick.net is at a different address from ad.doubleclick.net) and it would not function if you used a proxy/anonymising proxy for web access (since all traffic would be going to the proxy's IP address). It should not hang a browser though it may cause delays waiting for connections to timeout - hosts file entries have similar problems but should not cause timeouts.

Web Washer can filter standard web pages but would not be able to do anything with encrypted ones - so while it could remove a web bug, if a connection was made by other means to any HTTPS addresses (e.g. via a banner ad), it would not be able to prevent cookies from being set or read, or the website from retrieving system/browser information (see test sites like BrowserSpy or Network Tools' Analyze Your Connection to see what information could be revealed - these do not use HTTPS so can be controlled by web filtering).

 

Well finding the IP to pcworld.rpts.net shouldn't be too hard, in fact it's 216.73.86.30. Also, I see what you're saying. But Web Washer CAN filter banner ads, cookies and referrers so wouldn't that be enough to prevent a web site from opening an HTTPS connection in the first place?

 

If that HTTPS connection was triggered by a web bug (using an <IMG> tag) then yes - but there are other ways of triggering connections to other sites (mentioned previously) and if such a connection is established using HTTPS, WebWasher would not be able to do any filtering on it - no cookie control, referer munging or script removal. That is where the problem lies.

 

I guess it would need a special plugin like Proxomitron has...Spyblocker does't do it either...But I talked to Paul about it and apparently he's investigating it due to this topic btw.
Take care

 

Ah, understood. Thanks Paranoid.

 

I'm sorry. I must have missed the other methods for establishing such a connection (It's late here on the US West Coast). Please point out.

 

https://www.wilderssecurity.com/showpost.php?p=448251&postcount=34

 

Hi,

Statistically, surfing on HTTPS sites is safe; but according to the facts (that which is possible) it's not totally safe.
Attacks are possible (Cookies poisonning, Man in the Middle etc) and some of them are used for phishing.

Best surfing practises are an easy prevention method: never store passwords and unnecessary cookies, close the browser, the connection and make a complete cleaning of the surf after an online payment (cache, cookies, temp files) etc...


Paranoid: to reply to your suggestion ("if anyone knows of a method of getting the same result with IE or Firefox") i don't really know specific toll or toolbars which could be used in the same way.

There is the webdeveloper toolbar, but HTTPS request are not integrated:

http://chrispederick.com/work/firefox/webdeveloper/documentation/

There is the old TuvBar toolbar which is lly a "swiss knife" and integrates many tools (NetCraft, netTools, HTTPHeaders etc) and could be used automatically with Paros proxy/scanner.

http://tuvbar.mozdev.org/

Paros is a free web application audit tool, with a graphic interface and easy to use:

http://www.parosproxy.org/

there is also this old french HTTPS proxy (free) which just works as a service (no GUI and configuration possibilities):SSLStripper plays a Man In The Middle between client (browser) and server (web site).

http://www.vroyer.org/sslstripper/

Charles has been also mentioned, and there is some others free and open source similar HTTPS proxies (see the image) but i don't think that they could be really useful for the majority of users.
And one or two of them are used by attackers to prepare web applications attacks (SQL injection, XSS etc).

In my private opinion, the less i spend time to manage my security and privacy, the more i enjoy my surf.
In this case, i hope-as said it Infinity-that Spyblocker will be able to filter HTTPS connections for the next versions.


For more information about the subject, there is for example a pdf paper from Symatec: Secure Surfing: Understanding the security risks of web browsers.

http://www.atstake.com/research/reports/

Regards

 

The key feature is giving an alert on HTTPS connections - this could be either be by flagging all such connections or by allowing prompts on specific certificates.

Plenty of options but none relating to HTTPS as you note.

The Paros proxy would seem to be the useful option here since it offers filtering on HTTPS traffic. Since it is written in Java it should be usable with Linux or Mac OSX also.

Stripper looks interesting due to its ability to "spoof" certificates (which can then avoid browser warnings). It does however have to be used in conjunction with another filter so would probably be a little complex to set up for individual use. Companies using virus/content filters should find it extremely useful though.

Unfortunately security is an evolving field with new threats continually needing to be countered. This HTTPS issue is currently more of a privacy concern (since 3rd parties could read and write cookies on your system even with a filter present), but it would likely be only a matter of time before someone puts it to more malicious use (hiding malware installations for example).

 

maybe the issue can be fixed via IE - option - security - internet - custom level ... (there is among others cross site prevent ...)

or what about application fw, that block any traffic with https protocol (or for ie only) ?

 

Nope, please see previous posts.

Could pose problems for legitimate HTTPS access (e.g. shopping, online banking). A firewall which can prompt on such connections would work, but since each page element can trigger a separate connection, you may have to respond to several prompts for a web page you wanted to visit.

 

Well you don't have to have a seperate program to filter third party cookies (see pic). Is this really only a privacy concern? What kind of information can these cookies contain?

 

I said currently more of a privacy concern since I have seen this principally with web-bugs. It could also be used to deliver malware (via ActiveX) through any third party filters you use, or to abuse Java/Javascript (delivering advertising through any ad filter you use would be one likely scenario).

As for possible cookie abuse, this has been well discussed elsewhere.

 

I just tried to pay my ISP bill online and it looks like my browser connected to hitbox.com. The only reason I knew this is because I was sitting on a secure site and after sending some information IE warned me "that the site I would send the information to was NOT secure and that others would be able to see the information". I was like "WTF"? After some investigating I found out that sure enough, IE connected to some Hitbox server. I believe the setting that gave me this prompt was this one (see pic). The setting is not properly set on this computer because I am sitting at my friends computer right now. This of course would not help in all scenarios because in this case I was sitting on a "secure" site and my browser tried to send information to a nonsecure site.

 

hi paranoid, can you use privoxy with proxomitron, if so, how ?

 

Please see Setting up Tor/Proxomitron+SocksCap for details. You may wish to disable Privoxy (it will still Socksify traffic which is presumably what you are using it for) since its filtering may conflict with some Proxomitron filtersets and can take up significant CPU.

 

thx for the reply and info. I'm using privoxy with Tor just now, could/should I use socks cap with it, is it possible? What combo is best if any, Proxomonitron/Tor/ Sockscaps or privoxy with Tor?

cheers khaz

 

Those questions are answered in that thread...

 

Re: Port 22 open: After Tor, sockscap and proxomonitron install!

Back again.

Well, I set up proxomitron with sockscap and Tor, on a Xp box, all went well with the exception that I now have port 22 open. I use Jeticos firewall and it allowed all the ports you mentioned for Tor and the rest no problem. I have checked all the logs but can't see what application has opened port 22?

Anyone know which application has opened port 22?

Update, its now port 22,53,80,110,443,995, which are all open, I know some apps have opened them, is this normal for Proxomiton, sockscap and Tor to open these ports?

cheers khaz