Re: small proxy

From: Martin \ <et.code_at_ethome.sk>
Date: Wed, 31 May 2017 11:54:32 +0200

Heh proxies,

yeah I spent too much time tweaking my polipo and privoxy setups.

On Tue, 30 May 2017 22:49:19 +0100
Jorge Almeida <jjalmeida_at_gmail.com> wrote:

> On Tue, May 30, 2017 at 10:22 PM, Laurent Bercot
> <ska-supervision_at_skarnet.org> wrote:
> >> The Polipo author's reasoning may apply to your application as well, my
> >> memory is essentially the value of HTTP proxies has declined a lot now that
> >> so much of the web is behind HTTPS.

You can still do HTTPS proxying and filtering, if you do SSL MITM trickery on
"yourself". All commercial DPI engines, I have seen (not many), use this
trick to pierce into private connections. Makes you wonder about
employees and (other peoples) right to privacy when used on site.

> > Yes. And if it is about HTTP, then the clients' ISPs will proxy the
> > data for them. They may even add some extra friendly stuff in the data,
> > such as ads and announcement banners! The lengths they will go to for
> > their users.
> >
> > Bottom line: HTTP proxies *are* on the way out, for good reason.

I came to conclusion, that by default, if you want "unrestricted movement",
you don't use anything from your ISP, besides base transport layer.

ISP sins, I belive, we all experienced:
 - shitty DNS
 - shitty "included" email services
 - shitty "included" webhosting services
 - shitty transparent proxies to "speed up" (read trace and slowdown) HTTP
   access

If your ISP is so paranoid, that they won't allow you go "out",
other way than through their transparent proxy, for all reasons mentioned
and more, it's bad ISP and you should terminate all contracts with them.
used to be case with certain mobile operators in my country.

Sometimes one has to wonder, what actually some ISP do "right".

> This kind of situation usually means that I'm trying to use the wrong
> tool. As said in the first mail, I need to redirect some targets to a
> ssh tunnel, and let everything else go its way. Rather than using a
> proxy, the solution seems obvious: setup a different browser profile
> for the special targets and set the browser proxy for that profile to
> the ssh tunnel.

Depends on your usecases and level of isolation you want to achieve.

If you just want to "project" yourself somewhere use ssh.

Most modern browsers support SOCKS proxies and ssh/sshd has **great** SOCKS
based server and tunneling builtin. This can act as poor man's VPN.

If you are using firefox based crap, you can make even dns go thorugh socks,
completetely "teleporting" your apparent location to SOCKS exit point.

I with js enabled, I believe, there are still some reflection attacks
possible, so it's best to put whole browser thing (not just using
separate profile) into some kind of container, that are in vogue these days.
Or use per process iptables (not sure if nftables can do it yet) rules,
to allow only SOCKS traffic for given browser instance.

Modern js pages can, in certain cases, scan your network, so best is
to never give browser process even an option to do that.
Might break some things.

More complicated option is to use VPN, but it's not as easy and comfortable as
ssh.

Finally, if you are bent on modifying your own HTTP traffic in-flight,
I strongly suggest you to look into privoxy. Maintaining this one will
consume most of your time.

It's not lightweight, but it is supervision firendly, and comes with
incredibly nice magic bag of tricks.

  eto
Received on Wed May 31 2017 - 09:54:32 UTC

This archive was generated by hypermail 2.3.0 : Sun May 09 2021 - 19:44:19 UTC