Post Reply 
Perfect Forward Secrecy
Oct. 13, 2013, 11:24 PM
Post: #1
Perfect Forward Secrecy
hello everyone,

I would like to *hear* some thougts about Perfect Forward Secrecy when filtering secure connections with Proxomitron.
I don't think Proxomitron supports this security feature, but I am not 100% sure. does anyone know anything concrete?
if it's not supported it will be the end of Proxomitron when there is a critical amount of secure connections. maybe any ideas of workarounds or anything helpful?
Add Thank You Quote this message in a reply
Oct. 14, 2013, 09:18 PM
Post: #2
RE: Perfect Forward Secrecy
The Proxomitron does not do PFS.

As I understand things:
If half SSL could be used, a bridging proxy could provide PFS.
If HTTPS and PFS in the browser are required, another filtering proxy with HTTPS and PFS support would be required.
It would require significant effort to add PFS support to the Proxomitron.

If PFS use becomes widespread.
Add Thank You Quote this message in a reply
Oct. 19, 2013, 04:31 PM (This post was last modified: Oct. 19, 2013 04:31 PM by neverwasinparis.)
Post: #3
RE: Perfect Forward Secrecy
only one response. just as expected. Wink man, our community is so small...

thanks for your answer. do you have any idea which bridging proxy could be used when using half SSL? I think it should be a local proxy. never used one besides Proxomitron.

by the way, following that logic Proxomitron does not support other HTTPS features too. so it should be a good idea to let the certification process done by a program that is up to date, not just because of Perfect Forward Secrecy.
Add Thank You Quote this message in a reply
Oct. 19, 2013, 08:38 PM
Post: #4
RE: Perfect Forward Secrecy
some of us, myself included, prefer to go a different route and, at our own risk, BYPASS the INSECURE and EASILY CORRUPTED "certification process"...


the "certification process" is a [email protected] NUISANCE that simply does NOT make you "secure"... and if you truly care for a nice read into the subject, take an evening out and read up on it, you too will fall into the camp of taking a different route and AXING the whole [email protected] "certification process"...
Add Thank You Quote this message in a reply
Oct. 20, 2013, 04:45 AM
Post: #5
RE: Perfect Forward Secrecy
(Oct. 19, 2013 04:31 PM)neverwasinparis Wrote:  do you have any idea which bridging proxy could be used when using half SSL?

I'm not quite sure. There are other proxies (from memory with probably current openssl: Webscarab, Paros, Fiddler, mitmproxy, Charles, BurpSuite, etc) that I dismissed for continuous Windows use long ago. I assume that once filtering these proxies would bridge.

I've been looking at http://honeyproxy.org/ , wondering if Proxo's soul could find a home in there.

Features:
Analyze HTTP(S) traffic on the fly
Filter and highlight traffic, regex support included.
Report Generation for saved flows, including a live JS editor.
Save HTTP conversations for later analysis
Make scripted changes with Python, e.g. remove Cache Header.
based on and compatible to mitmproxy.
cross-platform (Windows, OSX and Linux)
SSL interception certs generated on the fly

(Oct. 19, 2013 04:31 PM)neverwasinparis Wrote:  by the way, following that logic Proxomitron does not support other HTTPS features too. so it should be a good idea to let the certification process done by a program that is up to date, not just because of Perfect Forward Secrecy.

This lack of other HTTPS features doesn't worry me too much. Those who filter HTTPS should be looking out for themselves.
Missing features that keep the Proxomitron from filtering and the dated HTTPS identifying us is worrying.
Add Thank You Quote this message in a reply
Oct. 24, 2013, 03:44 AM
Post: #6
RE: Perfect Forward Secrecy
@ ProxRocks

I believe in HTTPS. Big Teeth


@ JJoe

thanks for this really usefull answer. will need some time to test your ideas.

(Oct. 20, 2013 04:45 AM)JJoe Wrote:  I've been looking at http://honeyproxy.org/ , wondering if Proxo's soul could find a home in there.
I tested this so far. did you succeed with installation? I didn't. after Python was installed pyOpenSSL didn't find Python installation folder and even the formular to enter it manually did not work. so this ends at this point for me.
Add Thank You Quote this message in a reply
Oct. 24, 2013, 05:40 AM (This post was last modified: Oct. 24, 2013 05:40 AM by ProxRocks.)
Post: #7
RE: Perfect Forward Secrecy
(Oct. 24, 2013 03:44 AM)neverwasinparis Wrote:  @ ProxRocks

I believe in HTTPS. Big Teeth

"sorry 'bout your luck", as the saying goes Big Teeth


http://www.privatewifi.com/ask-the-exper...-we-think/
https://www.eff.org/deeplinks/2011/10/ho...ttps-today
http://superuser.com/questions/225472/how-safe-is-https
http://www.esoft.com/network-security-th...ly-secure/
Add Thank You Quote this message in a reply
Oct. 25, 2013, 04:32 AM
Post: #8
RE: Perfect Forward Secrecy
(Oct. 24, 2013 03:44 AM)neverwasinparis Wrote:  
(Oct. 20, 2013 04:45 AM)JJoe Wrote:  I've been looking at http://honeyproxy.org/ , wondering if Proxo's soul could find a home in there.
I tested this so far. did you succeed with installation? I didn't.

Installed and working as a proxy but not a total success. The proxy part doesn't always work. The traffic inspection and analysis features have not worked. I haven't tried much more.
Add Thank You Quote this message in a reply
Oct. 31, 2013, 06:15 PM
Post: #9
RE: Perfect Forward Secrecy
@ ProxRocks

I'm fine with what is written on your third refered page.


@ JJoe

would be really hard to get this or another tool work.
not enough time...
for me: using user scripts on some encrypted sites and Proxomitron for unencrypted sites should work for a few more years. I don't want to use Proxomitron to make surfing the web less secure than it would be without it.
Add Thank You Quote this message in a reply
Nov. 09, 2013, 12:25 PM
Post: #10
RE: Perfect Forward Secrecy
http://www.esoft.com/network-security-th...ly-secure/
Selling. The external link is apparently (I didn't visit) about easily conned Cert Authorities, Comodo. Previous news stories have reported other conned CAs. This is a social engineering flaw, demonstrating that "experts" are vulnerable to social engineering. We also know that internet users are vulnerable to social engineering. Flaw seems incuirable, though is not inherent to SSL itself.

http://www.privatewifi.com/ask-the-exper...-we-think/
Selling. Internal links, which I didn't visit.

http://superuser.com/questions/225472/how-safe-is-https
Banks (experts) are fallible, yes. OTOH, traditional non-internet security also steadily suffers new attacks.
The other factors in comments are social engineering, except keylogger.
I wonder when academics will consider 128bit SSL to be too small.

https://www.eff.org/deeplinks/2011/10/ho...ttps-today
A more thorough outline, imo. My brain is not in gear enough to study carefully.
#2and #4 seem beyond control (failings) of CAs.
#5 looks bad for other reasons.

I suppose the problems are too much to trust security of the CA system for authenticating sites.

But after recently reading about the function of keys, I've wondered whether encryption function can be separated. I'm not sure if encryption can be independent of authentication.
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: