Feb. 10, 2014, 10:38 PM
Greetings Proxomitron Gurus!
I'm new here. Please try to be kind if I violate any forum etiquette or customs (e.g. this is a long post with quite a few questions and hopefully I have not made *too many* assumptions)
After rediscovering Proxomitron I began researching which OpenSSL dlls to use in Proxomitron these days. I'm still unsure which to use in Proxomitron itself and/or with make-proxcert. Prospects include:
OpenSSL 0.9.6m [from OpenSSL Win32 Installer Team], Both files Modified: March 18, 2004
OpenSSL-0.9.8-patched [from unknown source], Both files Modified: July 06, 2005
OpenSSL-0.9.8.0-mod-rev1 [readme claims sidki, Sep 29 2006], Modified: September 26, 2006
From Shining Light Productions' website:
OpenSSL 0.9.8y © 1998-2007 The OpenSSL Project, Both files Modified: February 06, 2013
OpenSSL 1.0.1f © 1998-2005 The OpenSSL Project, Both files Modified: January 06, 2014
I'd like to use the latest OpenSSL 1.0.1f, but would really appreciate any recommendations, pointers, links, experiences, etc anyone is willing to offer. BTW does anyone know the details of netlaw's June 2003 OpenSSL_add_all_algorithms modifications? sidki, feel like adding all the security patches between September 26, 2006 and February 06, 2013 <joking>
Additionally does anyone know if there are any limitations on OpenSSL versions in phoenix (aka whenever's) ProxHTTPSProxy? Will the slproweb Light packages suffice? How about the Win64 versions on an x64 OS... just curious?
Also I'm very interested in following up on a digression ProxRocks posted in the "ProxHTTPSProxy, a Proxomitron SSL Helper Program" thread (Post: #126) http://prxbx.com/forums/showthread.php?t...7#pid16467
Note: Some references & resources pertaining to the following paragraphs are at the end of this post.
When I first came across phoenix (aka whenever's) ProxHTTPSProxy in the forums I too had high hopes, although slightly different ones than ProxRocks. At first I'd hoped ProxHTTPSProxy might permit certificate verification and/or enable local storage and comparison of verified certificates. I even thought *perhaps* it might be able to do some kind of certificate pinning like Microsoft's EMET or some more 'advanced' certificate checks (e.g. comparing certificate fingerprints against Steve Gibson's Fingerprints page or using less centralized approaches like Perspectives or Convergence.)
Apparently I had somehow managed to skim right past the big red “Warning: Currently ProxHTTPSProxy is not doing any kind of certificate check, use it as your own risk!â€
After reading ProxRocks' digression and a great article "Technical Architecture shapes Social Structure" I did a little more research and thinking. As much as the Carnegie Mellon Perspectives' approach and it's derivatives Convergence and Convergence "Extra" may be improvements on the Certificate Authority scheme, in principal, I've come around to ProxRocks' position “the whole scheme is a crock of crap†Nevertheless, in my opinion something needs to fill the authentication void.
I'd personally rather see an approach like Monkeysphere; but humbly ask - Does anyone know of any "parent proxy" that they use, or could be used, to help fill the SSL authentication void in Proxomitron? If not, does anyone have the skill(s) and motivation to implement some kind of SSL authentication into a Proxomitron add-on/parent proxy? I don't have the coding (or even scripting) skills myself but I've tried to compile some places to start -below- if anyone is interested.
Lastly, somewhat digressing here, view the source of https://dnscrypt.eu/ IIUC that's tracking script inside https on a security/privacy resource's webpage... probably (hopefully!) relatively benign.
Thanks to any and all that read this far! And thanks to all those who've participated on this forum, both past and present.
References & Resources:
Microsoft EMET 4.x's Certificate Trust Feature
https://blogs.technet.com/b/srd/archive/...ature.aspx
Perspectives [“decentralized†SSL certificate checks from “network notary serversâ€]
http://perspectives-project.org/
https://github.com/danwent/Perspectives
Convergence [Perspectives like SSL certificate checks from “dynamic set of Notariesâ€]
[url= http://convergence.io/details.html]http:...tails.html[/url]
https://github.com/moxie0/Convergence
Convergence "Extra" [Convergence fork that checks using “private†notaries]
https://github.com/mk-fg/convergence#cha...m-upstream
Monkeysphere [uses PGP web of trust model to assess https certificates]
http://web.monkeysphere.info/why/#index1h2
TACK [“A proposal for a dynamically activated public key pinning frameworkâ€]
http://tack.io/
https://lists.riseup.net/www/arc/tack/20...00001.html
Skip Cert Error [Seems better than ignoring all certificates imho]
https://github.com/foudfou/skipCertError/
https://addons.mozilla.org/en-US/firefox...ert-error/
I'm new here. Please try to be kind if I violate any forum etiquette or customs (e.g. this is a long post with quite a few questions and hopefully I have not made *too many* assumptions)
After rediscovering Proxomitron I began researching which OpenSSL dlls to use in Proxomitron these days. I'm still unsure which to use in Proxomitron itself and/or with make-proxcert. Prospects include:
OpenSSL 0.9.6m [from OpenSSL Win32 Installer Team], Both files Modified: March 18, 2004
Code:
libeay32.dll: SHA-256 932663d5f3fc13d6f6a182663c4dca326eec0db22bd5f4307bb84c2e8dac7282
ssleay32.dll: SHA-256 74f66c4badb7481baed0278d9245e330e2bb9f20e327ce2d1199c9b826d182f5
OpenSSL-0.9.8-patched [from unknown source], Both files Modified: July 06, 2005
Code:
libeay32.dll: SHA-256 40bf950dcdb88deb66a355fe9838049c2b77f80872763f66238c71311352910e
ssleay32.dll: SHA-256 ac0aa31a5914f4fffc8b826851374642eab1e12a25878a971d5d1f87d2be77e9
OpenSSL-0.9.8.0-mod-rev1 [readme claims sidki, Sep 29 2006], Modified: September 26, 2006
Code:
libeay32.dll: SHA-256 492d02e478ac8ce340b8b9e2120bb8735cc25ce673d5841793ccedd02eecff46
ssleay32.dll: SHA-256 d23ce7a7397dd229c6d7770c642b15f3b6f570ade70a1befb85526bee9ca3a53
From Shining Light Productions' website:
OpenSSL 0.9.8y © 1998-2007 The OpenSSL Project, Both files Modified: February 06, 2013
Code:
libeay32.dll: SHA-256 733714803dc313a9481fcc0a5fdd33ad3574c1571f753f15299dd0df06656d9f
ssleay32.dll: SHA-256 c6d3b8b4c671191b9b3f514b47bb0afb4d712b8fd56d13af1c6c9bc476debb96
OpenSSL 1.0.1f © 1998-2005 The OpenSSL Project, Both files Modified: January 06, 2014
Code:
libeay32.dll: SHA-256 eb75fdef63d8af4995e36b1522873556f3f9d146cc971ecb990b2b2cec7d3767
ssleay32.dll: SHA-256 a23652f9761abf79ca8231794c6027f42d705e3403bd7c599e3b769ac0da835b
I'd like to use the latest OpenSSL 1.0.1f, but would really appreciate any recommendations, pointers, links, experiences, etc anyone is willing to offer. BTW does anyone know the details of netlaw's June 2003 OpenSSL_add_all_algorithms modifications? sidki, feel like adding all the security patches between September 26, 2006 and February 06, 2013 <joking>
Additionally does anyone know if there are any limitations on OpenSSL versions in phoenix (aka whenever's) ProxHTTPSProxy? Will the slproweb Light packages suffice? How about the Win64 versions on an x64 OS... just curious?
Also I'm very interested in following up on a digression ProxRocks posted in the "ProxHTTPSProxy, a Proxomitron SSL Helper Program" thread (Post: #126) http://prxbx.com/forums/showthread.php?t...7#pid16467
Quote:...while i haven't played around with ProxHTTPSProxy for some time now, it has been my high hopes that it would become the wave of the future for anyone (ie, "us geeks") wishing to take matters into their own hands and "at their own risk" AXE the STUPID certificate-check CRAP...
the whole scheme is a crock of crap, we all know that malware sites can "buy" their own signed certificate (aka, "Certificate Authority breach"), so why propagate the MYTH that "certificates" correlate to "safety"?...
Note: Some references & resources pertaining to the following paragraphs are at the end of this post.
When I first came across phoenix (aka whenever's) ProxHTTPSProxy in the forums I too had high hopes, although slightly different ones than ProxRocks. At first I'd hoped ProxHTTPSProxy might permit certificate verification and/or enable local storage and comparison of verified certificates. I even thought *perhaps* it might be able to do some kind of certificate pinning like Microsoft's EMET or some more 'advanced' certificate checks (e.g. comparing certificate fingerprints against Steve Gibson's Fingerprints page or using less centralized approaches like Perspectives or Convergence.)
Apparently I had somehow managed to skim right past the big red “Warning: Currently ProxHTTPSProxy is not doing any kind of certificate check, use it as your own risk!â€
After reading ProxRocks' digression and a great article "Technical Architecture shapes Social Structure" I did a little more research and thinking. As much as the Carnegie Mellon Perspectives' approach and it's derivatives Convergence and Convergence "Extra" may be improvements on the Certificate Authority scheme, in principal, I've come around to ProxRocks' position “the whole scheme is a crock of crap†Nevertheless, in my opinion something needs to fill the authentication void.
I'd personally rather see an approach like Monkeysphere; but humbly ask - Does anyone know of any "parent proxy" that they use, or could be used, to help fill the SSL authentication void in Proxomitron? If not, does anyone have the skill(s) and motivation to implement some kind of SSL authentication into a Proxomitron add-on/parent proxy? I don't have the coding (or even scripting) skills myself but I've tried to compile some places to start -below- if anyone is interested.
Lastly, somewhat digressing here, view the source of https://dnscrypt.eu/ IIUC that's tracking script inside https on a security/privacy resource's webpage... probably (hopefully!) relatively benign.
Thanks to any and all that read this far! And thanks to all those who've participated on this forum, both past and present.
References & Resources:
Microsoft EMET 4.x's Certificate Trust Feature
https://blogs.technet.com/b/srd/archive/...ature.aspx
Perspectives [“decentralized†SSL certificate checks from “network notary serversâ€]
http://perspectives-project.org/
https://github.com/danwent/Perspectives
Convergence [Perspectives like SSL certificate checks from “dynamic set of Notariesâ€]
[url= http://convergence.io/details.html]http:...tails.html[/url]
https://github.com/moxie0/Convergence
Convergence "Extra" [Convergence fork that checks using “private†notaries]
https://github.com/mk-fg/convergence#cha...m-upstream
Monkeysphere [uses PGP web of trust model to assess https certificates]
http://web.monkeysphere.info/why/#index1h2
TACK [“A proposal for a dynamically activated public key pinning frameworkâ€]
http://tack.io/
https://lists.riseup.net/www/arc/tack/20...00001.html
Skip Cert Error [Seems better than ignoring all certificates imho]
https://github.com/foudfou/skipCertError/
https://addons.mozilla.org/en-US/firefox...ert-error/