Sunday, March 06, 2011

HTTPS for all browsing

I've been thinking about using HTTPS for everything (even sites that don't support HTTPS) by routing all my traffic through a proxy that makes connections to the actual site (possibly on HTTP). This at least secures my traffic from packet sniffing on the local LAN.

What this means is that if you are at school or office, no colleague can run Wireshark or TCPDump on the the local LAN and capture/sniff your traffic. Also, you can now safely browse the web over http on insecure/potentially sniffed networks such as stray wireless networks without having to worry about your data being compromised! Welcome starbucks internet :-p

Traditionally, if the browser connects directly to a public proxy, then HTTP traffic still goes unencrypted (to the best of my understanding). Hence, this is what I've thought of doing.
  1. Set up a local proxy on the same machine, which connects to a remote proxy over HTTPS.
  2. Ensure that the remote proxy is running on a safe/trusted network (it could be your home PC if you want to use insecure wireless networks securely)
  3. This remote proxy can now make HTTP connections and the issue of local packet sniffing is resolved.
  4. However, it doesn't prevent remote packet sniffing (on the network where the remote proxy resides), which is why it is important to have the remote proxy sitting on a secure network.

If you are seriously planning to use this proxy, and you aren't yet using HTTPS Everywhere, I would strongly suggest that you start using it since it will reduce the load on the proxy and is more secure (since the encryption is end-to-end and not proxy-to-end).

Mamma says that there shall be a day when browsers pop up a warning when you view an http based page (as opposed to an https based one).

Update: You can grab the code for this proxy here


Anonymous said...

nice idea, but I can't see how you use this in a LAN that you don't control yourself (at school/work/starbucks etc)

as I can see it, in all those places you could only install it on *your* local machine which makes it useless (no safety added)

am I missing something?

Dhruv Matani said...

So, the local-proxy.js will run on your local machine, whereas remote-proxy.js will be running on a trusted remote machine that is outside the network you are currently on (the untrusted network).

Check this link for a nice discussion on the topic (very informative):

It seems that the core of the idea can be implemented using standard tools such as ssh. However, I am also working on more privacy features such as removing the referer header, etc... You can also try firefox add-ons that accomplish these goals.

Astro said...

I usually use ssh -D for that. Find a browser that does not support SOCKS!

Unknown said...

Https is good (generally) but it can be bad too sometimes especially in the case of data loss prevention



as3:~/node-tls-proxy# ls
as3:~/node-tls-proxy# nohup node remote-proxy.js > /dev/null &
[1] 25605
as3:~/node-tls-proxy# nohup: ignoring input and redirecting stderr to stdout

[1]+ Done nohup node remote-proxy.js > /dev/null
as3:~/node-tls-proxy# ps aux|grep node
as3:~/node-tls-proxy# root 2062 0.0 0.0 33764 372 ? Sl Mar22 0:00 /usr/local/bin/node server.js
root 25794 0.0 0.1 3876 796 pts/1 S+ 08:26 0:00 grep node

the above result means "node remote-proxy.js" isn't running in my vps,why?

Dhruv Matani said...

@yu Can you try w/o nohup and see if any errors are printed?


as3:~/node-tls-proxy# node remote-proxy.js
(un)Caught exception: Error: ENOENT, no such file or directory './openSSL_keys/ryans-key.pem'
at Object.fs.openSync (fs.js:338:18)
at Object.fs.readFileSync (fs.js:182:15)
at Object. (/root/node-tls-proxy/remote-proxy.js:54:10)
at Module._compile (module.js:449:26)
at Object.Module._extensions..js (module.js:467:10)
at Module.load (module.js:356:32)
at Function.Module._load (module.js:312:12)
at Module.runMain (module.js:492:10)
at process.startup.processNextTick.process._tickCallback (node.js:244:9)

i forgot to upload openSSL_keys folder.but after i uploaded openSSL_keys folder,it still shows error:

as3:~/node-tls-proxy# ls
log openSSL_keys remote-proxy.js
as3:~/node-tls-proxy# node remote-proxy.js
(un)Caught exception: Error: Cannot find module 'tav'
at Function.Module._resolveFilename (module.js:338:15)
at Function.Module._load (module.js:280:25)
at Module.require (module.js:362:17)
at require (module.js:378:17)
at Object. (/root/node-tls-proxy/remote-proxy.js:58:12)
at Module._compile (module.js:449:26)
at Object.Module._extensions..js (module.js:467:10)
at Module.load (module.js:356:32)
at Function.Module._load (module.js:312:12)
at Module.runMain (module.js:492:10)

how to fix it ?what module is tav?