I'm sorry, this was a bad example. I did a quick search on "Java Telnet
Applet" and included the first site it returned without properly checking. A
while ago, somewhere on the web, I ran into a Java Applet which tunneled
telnet data over HTTP and the real connection was made from that web server
to any destination you specified.
You are right that any unsigned applet can only make connections back to the
originating web-server, and this one did. The outbound telnet connection was
made by the web server, not the web browser. It acted as a telnet proxy of
sorts. Personally I doubt this applet still exists in that form as the
potential for semi-anonymous cracking attempts probably made it an
attractive web site.
I'll forward the URL if I do manage to dig it up...
--
Gene Lee
[EMAIL PROTECTED]
[EMAIL PROTECTED]
-----Original Message-----
From: Daniel Garcia <[EMAIL PROTECTED]>
To: Gene Lee <[EMAIL PROTECTED]>
Cc: John Cheswick <[EMAIL PROTECTED]>; [EMAIL PROTECTED]
<[EMAIL PROTECTED]>
Date: Sunday, January 23, 2000 8:27 PM
Subject: Re: Telnet/SSH through HTTP proxy??
>On Sun, 23 Jan 2000, Gene Lee wrote:
>> >I'm not worried about some wizzo hand-crafting
>> >packets; what I'm more wondering is if there are
>> >already tools out there that do this. Pointers
>> >anyone?
>>
>> One thing you really have to worry about are all these Java Telnet
Applets
>> springing up all over the place. Good example of one is:
>> http://edcen.ehhs.cmich.edu/telnet.html
>
>Why? The telnet applets like the one you showed here use regular telnet
>to connect to their host. They're not tunnelling over http. That web
>page is -no- different than opening up a telnet client to
edcen.ehhs.cmich.edu
>and if your firewall blocks outbound telnet then that applet won't work
>either!
>
>> It is hardcoded to telnet only to a specific host, but there are probably
>> some on the net which are not security-conscious and allow you to specify
>> exactly where you want to telnet to. Hard thing is deciding if you want
to
>> block Java at the proxy, since a lot of organizations are using Java to
>> deploy legitimate web-based applications.
>
>Actually - that has nothing to do with how the applet is coded or the site
>it comes from. It is a limitation in the applet security model. Applets
>are -only- allowed to make network connections to the machine they were
>downloaded from. A signed applet would be able to go to other sites, but
>again, if your firewall blocks telnet access, then the applet won't be
>able to get through.
>
>Now, I suppose you could make a connection over port 80 if your firewall
>just blindly allows access through port 80. If the firewall does some
>kind of proxying, and only allows valid HTTP through, then tunneling
something
>like telnet becomes a little triciker (or maybe more than a little).
>
>I haven't seen an applet yet that does this (doesn't mean it isn't out
>there though :)
>
>--Dg
>
>
>
> "Why god? WHY?"
> "Because, there's something about you that REALLY Pisses me off!"
>
> | icq/4813658 | yahoo/kender42 | [EMAIL PROTECTED] | aim/dg4293
|
> | [EMAIL PROTECTED] | www/www.hollyfeld.org |
> "Even angels learn to fall"
>
>
>
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
