Post Reply 
Default SSL Settings
Oct. 05, 2010, 05:19 PM (This post was last modified: Oct. 06, 2010 06:07 PM by sidki3003.)
Post: #1
Default SSL Settings
Thread split from Beta Config (Sep 19 2010)

(Oct. 02, 2010 10:27 PM)wammie Wrote:  
(Oct. 02, 2010 07:15 PM)JJoe Wrote:  What is your opinion? "UseSSLeay = TRUE" or "UseSSLeay = FALSE" as set default?
JJoe, it is not clear to whom this question was directed. In my case the errors persist even after the incorrect DLL files are removed from the Proxomitron directory, meaning I probably represent a typical user who has not intentionally installed the specific DLL files as needed by Proxomitron.

Unless I'm still missing something, I perceive the choice boils down to these scenarios:

1) With the TRUE switch, many typical users, new or otherwise, wanting to just install the Sidki configuration file and be "ready to go!" as indicated in the Sidki Readme, not having already installed the proper SSL DLLs and choosing SSL filtering in the browser (an optional procedure), or wanting SSL filtering in the first place, will encounter these annoying DLL errors and have to discover for themselves how to rectify the trouble. These "first use" errors, in my opinion, are a turn off for the general user and may lower the user base.

2) With the FALSE switch, the typical user will not be bothered with these errors. Those wanting to explore the optional SSL option will seek out what needs to be done and carry through.

As it is, with the default 2010-09-19 switch being TRUE, users are forced at the onset to deal with a supposedly optional feature.


(Oct. 02, 2010 11:36 PM)sidki3003 Wrote:  
(Oct. 02, 2010 07:15 PM)JJoe Wrote:  What is your opinion? "UseSSLeay = TRUE" or "UseSSLeay = FALSE" as set default?

Taking this discussion out of the beta thread, since it isn't beta related at all, turning it into a public poll, would have been the better decision, IMO, but okay. I'm setting UseSSLeay to FALSE with the next release.


After a longer while of thinking about this matter, i came to the conclusion that such a change would be irresponsible:
- While HTTPS was a more exclusive thing until the late nineties, you can now get HTTPS server certificates for free.
- HTTPS is called "secure HTTP", because the data get passed from server to client in encrypted format. Everything else is a myth.
- There is no serious barrier at all, that would prevent malicious code from being sent over HTTPS. (However, such incidents are very uncommon.)

Ergo:
- Changing "UseSSLeay = FALSE" would leave those users in the cold, who trust in the upcoming config being at least as secure as the previous ones.
- If you don't like to filter secure pages (in the above explained sense!), you can set that manually anytime, it takes less then 20 seconds.

Two further points:
- If this decision isn't satisfying for you, consider switching to another Proxomitron config distribution.
There are several available. For instance, Michael Bürschgens is maintaining a very good one.
- As far as this thread is concerned, this particular (off-) topic is closed.
If you wish to discuss these things further, open a new topic, preferably in a more adequate subforum.
Add Thank You Quote this message in a reply
Oct. 06, 2010, 04:29 AM
Post: #2
RE: Beta Config (Sep 19 2010)
(Oct. 05, 2010 05:19 PM)sidki3003 Wrote:  After a longer while of thinking about this matter, i came to the conclusion that such a change would be irresponsible:
- While HTTPS was a more exclusive thing until the late nineties, you can now get HTTPS server certificates for free.
- HTTPS is called "secure HTTP", because the data get passed from server to client in encrypted format. Everything else is a myth.
- There is no serious barrier at all, that would prevent malicious code from being sent over HTTPS. (However, such incidents are very uncommon.)

Ergo:
- Changing "UseSSLeay = FALSE" would leave those users in the cold, who trust in the upcoming config being at least as secure as the previous ones.
- If you don't like to filter secure pages (in the above explained sense!), you can set that manually anytime, it takes less then 20 seconds...
I have no problem with whatever decision is made. Personally, I would prefer to use https filtering, but my understanding from previous discussions was that the expected filtering happened to fail in a fair number of https situations.

The default configuration/documentation can be directed toward a crowd who will (should) take the extra steps to enable https filtering, or toward a crowd who will not. If users are informed about the advantage of https filtering and given proper direction for initial installation, the DLL message troubles can be avoided and the better configuration choice will be delivered as the default.

Does UseSSLEAY=TRUE provide security if users are not told that browser https proxy configuration and DLL installation are REQUIREMENTS for the desired "normal" configuration?

What I'm getting at is that Sidki's documentation represents the https filtering as optional, where the new user can just install the software, configure the browser for http proxy and do nothing else. Installing the dll files and configuring the browser to use Prox. for https is additional action that must be taken, if this is the default preference. The documentation for these steps belongs in the "normal" installation description of Sidki's website Readme, rather than in the optional section.

Just one more observation about the current state of affairs: with UseSSLeay=TRUE, and the user not doing the other configuration steps - believing that UseSSLeay is not active by default - the Prox. gui shows a checkmark, thus a somewhat misleading indication of https filtering status. If a user were to uncheck and then recheck this box, attempting to get back to the "oob" configuration, the "mysterious" dll errors will appear. The user notices it was checked previously and Prox. did not present errors. With UseSSLEAY=FALSE and no expectations of https filtering in place as default, the misleading indication and dll errors are less likely.

I'm making a suggestion to review and rewrite the Readme documentation on the Sidki website, and include mention of the full installation requirements for the desired configuration. Users like me who do indeed "RTFM" for accuracy will not be disappointed.
Add Thank You Quote this message in a reply
Oct. 06, 2010, 06:11 PM (This post was last modified: Oct. 07, 2010 02:59 AM by sidki3003.)
Post: #3
RE: Beta Config (Sep 19 2010)
(Oct. 06, 2010 04:29 AM)wammie Wrote:  Does UseSSLEAY=TRUE provide security if users are not told that browser https proxy configuration and DLL installation are REQUIREMENTS for the desired "normal" configuration?

Obviously not.

For the rest of this post i'm skipping any rhetorical questions or "I'm hurt because you said RTFM" comments. I also have to do that because i really want to get the next config ready within this (maximum next) week, and dealing with this communication layer would be extremely time consuming.

Now, back to the factual communication layer:

Whether or not you get an error while visiting an HTTPS resource depends on how you've set up your browser. If you've set it to only use a proxy for HTTP, you'll get no error. If you've set it to use Proxomitron for both HTTP and HTTPS, and don't have matching OpenSSL DLLs, you'll get an error.

Anyway, i agree that the installation instructions should be improved. In particular, and beyond the HTTPS yes/no decision, there is no mention of how to set up your browser, in order to proxy through Proxomitron, and what protocols to proxy. (Well, it's mentioned in the FAQ and in Scott's help files, but we want to make things easier for people entirely new to Proxomitron.)

I have extended the respective paragraph and moved it above the "optional" section. I hope that way everyone will be aware about which protocols s/he's actually filtering:
Quote:- Decide whether you want Proxomitron to filter secure pages or not:
a) If you do want HTTPS to be filtered and/or want to activate the
"Use Half-SSL" option in the "Header Filters" window, make sure that the
SSL DLLs - SSLeay32.dll and Libeay32.dll - are installed on your system.

They should reside either in the same directory as Proxomitron.exe or on
your system's search path. You can get them here:
http://www.proxomitron.info/files/ .

Set your browser to use a proxy for HTTP and HTTPS, and point it to:
127.0.0.1:8080.

b) On the other hand, if you don't like HTTPS pages to be filtered, select
the "HTTP" tab in the preferences and uncheck "Use SSLeay/OpenSSL".

Set your browser to use a proxy for HTTP only, and point it to:
127.0.0.1:8080.
Add Thank You Quote this message in a reply
Oct. 09, 2010, 07:37 AM
Post: #4
RE: Default SSL Settings
I like it. This way the instruction always guides the new user to set the "Use SSLeay/OpenSSL" checkbox for a basic configuration and reduces the chance of DLL errors for either choice.
Add Thank You Quote this message in a reply
Oct. 09, 2010, 01:28 PM
Post: #5
RE: Default SSL Settings
Now I am confused. I don't use Proxo for HTTPS and never have. I think Scott was correct in warning against doing this. But that is just my personal opinion and I don't preach it to others.

I periodically get errors regarding Proxo and it popping up and saying it needs SSLLeay dll filters. Is that because "use half SSL" is checked by default in the header filters and I have never unchecked it? Why is it checked by default since a user would have to install the proper SSL dlls for it work? It should be unchecked by default. I have no idea what "use half SSL" means anyway. I assumed that because I have never installed the SSL dlls needed to have Proxo filter HTTPS that I didn't need to do anything else. Now, I read that I should have known to uncheck "use half SSL" filter even though I don't have the SSL dlls installed. This is a conundrum that makes no sense.

I see 4 header filters for half SSL. I had one unchecked. The others are checked. It is not at all clear that I need to immediately uncheck all 4 upon installing the Sidki filters. To me, Scott's strong warning against using Proxo for SSL sites would mean that by default NO SSL filters are checked! I also see that I have 2 half SSL (as I said I have no idea what half SSL is as opposed to full SSL) checked in Web filters. So, I should uncheck those?

I have been using Proxo since 2002 but I always assumed that SSL filters were not checked by default. Yes, I am guilty of not carefully checking everything after installing a filter set, but why would I look for filters to be checked by default that Scott warned against and that you need to install the proper dlls to use?

Just my 2cents worth. I love Sidki (and btw would you set up some way so I can send you some money for all the hard work you do for us?) and I don't want this construed in the wrong manner. I was not going to say anything but I have changed my mind. I think ALL filters connected to SSL should be off by default if for no other reason than Scott's strong warning that new folks will read. I recall discussing this with Scott in his forum at Castlecops and I feel that Proxo should not filter SSL. I understand that many want to have Proxo filter SSL sites and that is perfectly fine with me. However, I don't think filter sets should come with SSL filters checked by default. Plus, is there an explanation somewhere that I have missed about what "half SSL" is? I have never really cared because I assumed the filters were not set by default to use SSL, and I don't want filter SSL, so I didn't really care if I knew what "half SSL" was as opposed to "full SSL" but I see now I need to know so I know what to uncheck.
Add Thank You Quote this message in a reply
Oct. 09, 2010, 03:18 PM (This post was last modified: Oct. 09, 2010 06:04 PM by JJoe.)
Post: #6
RE: Default SSL Settings
(Oct. 09, 2010 01:28 PM)Mele20 Wrote:  Is that because "use half SSL" is checked by default in the header filters and I have never unchecked it? Why is it checked by default since a user would have to install the proper SSL dlls for it work? It should be unchecked by default.

The filter in question (this ones from prox-config-sidki-2005-02-22.zip) looks like

Code:
In = FALSE
Out = FALSE
Key = "! |||||||||||| 1.3 Use Half-SSL     5.01.12 [jjoe] (o.2) (Out)"
URL = "$SET(keyword=$TST(keyword=(^*.i_ssl_h:)\1)\1i_ssl_h:1.)

Please note that:
Both the In and Out are "FALSE". "TRUE" enables a filter.
The filter has not changed significantly.
I'm very sure it isn't checked by default.

Half-SSL requires a number of filters and adjustments. We thought it would be best if these filters and adjustments were controlled by a single 'switch' that users must enable. The "Use Half-SSL" header filter contains that switch and thus allows users to enable Half-SSL as their base setting.

(Oct. 09, 2010 01:28 PM)Mele20 Wrote:  I see 4 header filters for half SSL. I had one unchecked. The others are checked. It is not at all clear that I need to immediately uncheck all 4 upon installing the Sidki filters. To me, Scott's strong warning against using Proxo for SSL sites would mean that by default NO SSL filters are checked! I also see that I have 2 half SSL (as I said I have no idea what half SSL is as opposed to full SSL) checked in Web filters. So, I should uncheck those?

You can uncheck all if you wish but I don't think it is necessary. Should you want to selectively apply Half-SSL later, you may have to reenable all that you disable.

(Oct. 09, 2010 01:28 PM)Mele20 Wrote:  I periodically get errors regarding Proxo and it popping up and saying it needs SSLLeay dll filters.

http://proxomitron.info/45/help/URL%20Commands.html
SRL Wrote:http://https..www.host.com/some/secure/webpage

Use to load a 'secure' https: web page without having the local page encrypted. Can be use to access secure pages from browsers that don't directly support https, or to avoid the normal https warning messages a browser may spit out. The actual remote connection is still encrypted, but Proxomitron sends the decrypted and filtered page to your browser. Note: requires SSLeay/OpenSSL .dll files to work.

Your browser may be trying to load Half-SSL links (http://https..) embedded in the page.
It's probably nothing to worry about but somebody would probably look at the page flagging the error if you reported it.
The set could disable the Proxomitron's URL based commands by default but I don't think that is necessary.


HTH

Edit: I believe Half-SSL links will generate the errors when the DLLs are missing or incompatible, regardless of the "Use SSLeay/OpenSSL" setting. I'll create another topic in Proxomitron Program when I get a chance.
Add Thank You Quote this message in a reply
Oct. 09, 2010, 03:33 PM
Post: #7
RE: Default SSL Settings
Scott Lemmon's writing about half-SSL can be seen here:
http://www.proxomitron.info/45/docs/readme.txt

Sidki has pointed out that the three checked filters related to half-SSL are dependent on the main filter "Use SSLeay/OpenSSL" in Prox.'s dialog box being checked AND the master filter "Use Half-SSL" being checked. So, three Half-SSL filters are only poised to work if the main Half-SSL filter is activated.

The dll errors are what I experienced when installing Sidki's newest beta filter set with "Use SSLeay/OpenSSL" checked by default, and it is this setting which triggers the errors. Having it checked forces the user to deal with dll files, the certificate files (updating advised), the emergence of certificate warning boxes when browsing, security arguments, etc. The SSLeay option has to be set one way or the other in the default configuration, obviously. So the decision on this option, in my mind, goes something like this: 1) Set it OFF, assuming the extra steps for proper ON state operation will inevitably be missed by many users, but providing a safety condition against dll errors in this case, 2) set it ON and provide full information on the implications, expecting users to "do or die", in effect, or 3) make no assumption what is best for a particular user or the general population, but absolutely include information for option 2) so the user must make a conscious choice.
Add Thank You Quote this message in a reply
Oct. 09, 2010, 05:08 PM
Post: #8
RE: Default SSL Settings
(Oct. 09, 2010 03:33 PM)wammie Wrote:  So, three Half-SSL filters are only poised to work if the main Half-SSL filter is activated.

IIRC, Half-SSL can also be triggered from the user list.
Add Thank You Quote this message in a reply
Oct. 15, 2010, 04:12 AM
Post: #9
RE: Default SSL Settings
So I tried SSL filtering and enabling Half-SSL for a while. Due to out of date certificates used by Proxomitron, I received numerous certificate warnings and even some Proxomitron application errors. For now I'll probably browse without SSL filtering. I don't know, but I'd imagine many new or long-time users, maybe a majority, have also found SSL filtering to be more trouble than its worth.
Add Thank You Quote this message in a reply
Oct. 25, 2010, 10:43 PM (This post was last modified: Oct. 25, 2010 10:54 PM by Mele20.)
Post: #10
RE: Default SSL Settings
Ok. I am more confused than ever. I got up this morning to see THREE Proxo errors on my screen. Each complaining that Proxo needs SSLleay.dll, etc. Behind the three Proxo errors was another error from my Opera mail client complaining it could not connect. Opera mail is not secure so why the Proxo errors I don't know.

I left Opera 10.62 (no mail client) running overnight and also Opera 11 Alpha which does have mail set up. I think Opera must have tried to check for new email at the precise moment my connection went down (it has been going down and coming back quite frequently the last few days...thought my ISP got the problem corrected two weeks ago but it is back now with a vengeance). So, if Opera tried to check the mail, and the connection was down at that precise moment, then I suppose the password might come into play and Proxo would think SSL dlls were needed? I'm just guessing here. Opera checks for mail every 30 minutes so I bet that is what happened.

I have the master filter "use half SSL" unchecked. Do I need to also uncheck:
URL:block sel SSL connects
Set cookie: 5 a Strip "secure" if Half SSL

I left those two checked so do they also need to be unchecked to stop these errors? Thanks.

Edit: I shut down Opera 11. I restarted it and immediately received three Proxo ssl error messages. No error about Opera mail. I still have the two mentioned filters above checked.
Add Thank You Quote this message in a reply
Oct. 26, 2010, 12:19 AM
Post: #11
RE: Default SSL Settings
(Oct. 25, 2010 10:43 PM)Mele20 Wrote:  I have the master filter "use half SSL" unchecked. Do I need to also uncheck:
URL:block sel SSL connects
Set cookie: 5 a Strip "secure" if Half SSL

I left those two checked so do they also need to be unchecked to stop these errors? Thanks.

That won't stop the errors.

At launch Opera sometimes requests information from various servers. IIRC, those or some of those requests go to secure sites.
However, I thought I read that you don't filter https, so your Proxo should not see the https requests.

Isn't your Opera preferences set to only send http to the Proxomitron like the attached image?

HTH


Attached File(s)
.gif  OperaProxPrefs.gif (Size: 39.58 KB / Downloads: 684)
Add Thank You Quote this message in a reply
Oct. 26, 2010, 12:49 AM (This post was last modified: Oct. 26, 2010 12:52 AM by Mele20.)
Post: #12
RE: Default SSL Settings
Ugh. Sorry. This is an ALPHA version of Opera 11. It works surprisingly well (others have commented the same at Opera forums) for an alpha version. But it has strange quirks. It stopped asking me about cookies yesterday. I restarted it and everything was fine until today when again it just denies cookies on new sites instead of asking me what I want it to do and here it is now popping up some cookie screen when I previewed this post but the popup is only there for a second so I can't even see for sure what it is about and can't interact with it. I have permanent cookies for here and I always uncheck the Proxo setting for make all cookies session only so Opera 11 should not be popping up a screen about cookies here when I preview this post.

Anyhow, as to the SSL errors, I had use Proxo UNchecked in Preferences/Advanced/Network/Proxy Servers except for HTTP. Opera 11 has a mind of its own I guess because after reading your post I checked those settings again and EVERY ONE OF THEM WAS CHECKED FOR PROXO! I think when I restarted Opera 11 last night that it must have reset those settings. I need to look and see if it reset any other preferences.

I don't have a mail client set up on Opera 10.62. I think I will set up Opera mail there and see if I get any Proxo errors on that stable version of Opera. Probably I will not. Sorry to have posted a bogus problem.

Edit: when I clicked to post this, Opera 11 gave me a cookie box that stayed on the screen unlike the earlier popups that would flash on the screen and off too fast to look at them. It has my cookie settings screwed up and thinks I only want session cookies here. I guess because Opera 11 was so nice for a day or so that I am now more surprised than I should be when it acts buggy.
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: