[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev success story: communicating using https with proxy - only
Re: lynx-dev success story: communicating using https with proxy - only lynx
Sat, 13 Apr 2002 15:40:56 +0500 (SAMST)
On Fri, 12 Apr 2002, David Woolley wrote:
Sorry, I was too unspecific.
In fact I was evaluating solutions on how to use ftp and be secure at the
same time. Besides using ftp over SSL/TLS (only few ftp clients and ftp
servers support it), one of the options I tried was to setup an ftp proxy on
the target server (that also runs ftp), and use that proxy (communicating with
it over https) to perform all operations with ftp server in secure manner. I
found that option to be viable if and only if the agent that uses that proxy
is lynx - other browsers can't be asked to speak https with proxy rather than
in "plain text".
> > Just curious - anybody knows why all other browsers suck that much in this
> > respect?
> If I understand you correctly, because they follow good security practice
> whereas Lynx doesn't treat https specially because at one time it wasn't
> allowed to have encryption hooks and couldn't include the patented code.
> I would consider it a bug. I would suggest it be disabled now as
> it encourages the unsafe transmission of clear text sensitive data
> outside the origin machine.
> IE and (I think) Mozilla, both handle proxying of https and do so safely.
> The squid proxy supports them to any depth of proxy and the CERN proxy
> supports it to one level. The way they do it is to use a special HTTP
> method, CONNECT, which is given a host and port number and the end proxy
> then sets up a TCP connection to that address and operates an application
> level relay back up the chain. Properly configured proxies do not let
> through arbitrary port numbers!
> I'm pretty sure, therefore, that the overall result here is that
> Lynx is broken by not supporting CONNECT, or maybe the https patches
> for it include CONNECT support.
Lynx uses CONNECT when visiting https sites via proxy, so lynx is not broken
in this respect.
Sorry for confusion.
Just wanted to add - I searched the whole freshmeat.net - it turned out that
there are no proxies that can be spoken https with, beside Apache web server
with modules mod_proxy and mod_ssl. I was very surprised by this fact..
; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden