Hacker Read

icebraining · 2011-11-14 20:59:21+00:00

Since it's HTTPS, those proxies can't see the traffic anyway, so as long as they used SSL on port 443, they could use any protocol on top.

aftbit | karma 4790 | avg karma 3.5 · | 2020-12-08 21:41:15

Can the proxies be (ab)used to proxy arbitrary HTTPS traffic?

tinco | karma 11728 | avg karma 3.67 · | 2018-12-20 11:34:50

Proxying on 443 would 100% work, I can say that without trying. The only case that would not work is if the firewall would do any deep packet inspection to see whether the connection setup resembles https. That of course would also be easy to circumvent, but I don't think any firewall would go so far.

1lann | karma 2 | avg karma 2.0 · | 2015-11-12 07:00:36+00:00

My school blocks all protocols except for HTTP and HTTPS. However they actually MITM HTTPS connections (I have to install a root certificate from them) so they can decrypt and see everything people do. So unfortunately typical TCP proxies don't work, even on port 443 as their transparent proxy makes the handshake. Instead, I have to put the payload in an HTTP request acting as a download, and another request as an upload, and make an OpenVPN connection over that.

mixedbit | karma 1884 | avg karma 3.49 · | 2014-05-14 12:14:44+00:00

A drawback is that a proxy won't be able to filter HTTPS traffic.

nightpool | karma 4134 | avg karma 3.65 · | 2015-08-11 16:07:22

You... really don't understand HSTS or how proxies work. Any actual secure proxy configuration would still work just fine with HSTS. Its only ones that specifically downgrade HTTPS connections to HTTP ones that break.

captainmuon | karma 8844 | avg karma 4.98 · | 2021-04-17 03:18:50

Are proxies even relevant anymore with HTTPS? The only two scenarios I can imagine are reverse proxies at the server's side (which the server controls), and corporate MITMing firewalls (which I personally think are the plaugue and don't belong in 2021).

lazyloop | karma 530 | avg karma 5.58 · | 2014-08-06 02:03:50+00:00

That's simple, they just won't, browsers will only support HTTP/2 over TLS, so proxies are effectively dead.

throwaway43 | karma 229 | avg karma 5.72 · | 2016-05-22 14:41:54+00:00

How do you proxy their traffic ?

I couldn't because they seem to use pinned certificates.

reply

jamespo | karma 1488 | avg karma 1.73 · | 2023-11-27 03:01:52

I've considered the HTTP proxy (anyone remember the fantastic proxomitron?), the problem is it would have to MITM all the HTTPS.

danielrhodes | karma 2600 | avg karma 4.08 · | 2016-05-05 14:08:39+00:00

If you are using secure web sockets (wss), this shouldn't be an issue as the traffic goes over port 443 and the proxy won't be able to tell if it's HTTP or another type of traffic.

haraldooo | karma 152 | avg karma 6.91 · | 2023-08-27 06:22:48

Sure they can.. but they can’t get around your outgoing firewall rule that reroutes alle traffic for certain ports to the proxy.

paulddraper | karma 16686 | avg karma 1.72 · | 2019-10-31 01:56:28+00:00

Deep packet. That's how they got HTTP proxies too.

bsamuels | karma 2066 | avg karma 5.99 · | 2014-07-28 00:50:17+00:00

it's not hard to set up a proxy and just sniff the traffic to reconstruct the protocol

GoblinSlayer | karma 1313 | avg karma 0.44 · | 2022-09-26 11:41:55

It's possible if the connection goes through an http proxy.

Dylan16807 | karma 31639 | avg karma 1.39 · | 2014-01-15 23:39:28

As opposed to HTTP where they proxy it and MITM it? I don't understand the objection.

pfg | karma 5329 | avg karma 4.49 · | 2015-12-11 01:50:04+00:00

You can still do that with HTTPS. Squid supports HTTPS proxying. Basically, you create your own root CA, distribute it to all endpoints on your network, and use squid to MITM all connections. That's (essentially) how most corporate proxies work.

taf2 | karma 3607 | avg karma 1.95 · | 2014-03-27 13:10:38+00:00

The main issue I see here is the use of a port other than 443 - this means traffic will likely be blocked for many users, also over 443 traffic should be encrypted to avoide bad proxies messing up the request headers

JoeAcchino | karma 270 | avg karma 6.43 · | 2013-09-06 12:19:09

HTTP Proxies do this.

T-R | karma 1337 | avg karma 3.34 · | 2015-10-10 20:12:14+00:00

> Though HTTP proxies are dead thanks to HTTPS

Well, they're not as broadly useful as without HTTPS, but you can still always MITM yourself to get a free transparent caching layer between the client and your end server.

reply