Ok On Saturday, October 12, 2013, Benjamin Tayehanpour wrote:
> On 10 October 2013 20:12, sanga collins > <[email protected]<javascript:;>> > wrote: > > If you were able to SSH out we would just Hire you into the IT dept. you > > would be way too over-qualified for the receptionist job. :) > > Also an admirable attitude! :) > > > On 11 October 2013 07:10, Peter C. Ndikuwera <[email protected]<javascript:;>> > wrote: > > Good old 80 & 443 can work as well for ssh tunneling - though not great > > options. > > Really? Why not? 443 is a great option if you need to fend your way > through a firewall, since you'd have a hard time separating HTTPS and > SSH traffic even with deep packet inspection. > > Not impossible, mind you; if I would be dealt the assignment to sniff > and inspect traffic on a corporate network, assuming all the client > workstations are the property of the corporation and that I would ever > stoop so low, I would simply install a home-brew root CA certificate > on the client computers, then install a transparent proxy server on > the firewall. I would then, with the home-brew CA as, well, CA, have > appropriate certificates dynamically generated according to the > responses I get from the relayed requests to the target hosts. And > there you go. HTTPS: defeated. > > This is, by the way, why I don't trust HTTPS to protect my privacy > when I'm using a computer I don't control. And on my own computers, I > still remain slightly wary. HTTPS is fundamentally flawed, in that it > only takes one CA gone rogue (or, in my scenario above, one roguish > root certificate added to the client) to render the security useless. > > This is also why I never ever would install connection software from > an Internet service provider. If the state of a country would decide > to have all Internet traffic intercepted at the country border, or the > IXP, or some other point where they can easily do so, and they would > like to have a look at all the HTTPS traffic as well, they could just > go to all ISPs and demand that they ship their 3G/4G modems with this > root certificate, installing it along with the connection software. > They wouldn't even have to say why; they could pass it off as "the new > root CA for government web sites" or similar. > _______________________________________________ > The Uganda Linux User Group: http://linux.or.ug > > Send messages to this mailing list by addressing e-mails to: > [email protected] <javascript:;> > Mailing list archives: http://www.mail-archive.com/[email protected]/ > Mailing list settings: http://kym.net/mailman/listinfo/lug > To unsubscribe: http://kym.net/mailman/options/lug > > The Uganda LUG mailing list is generously hosted by INFOCOM: > http://www.infocom.co.ug/ > > The above comments and data are owned by whoever posted them (including > attachments if any). The mailing list host is not responsible for them in > any way. > -- Sanga M. Collins Network Engineering ~~~~~~~~~~~~~~~~~~~~~~~ Google Voice: (954) 324-1365 E- fax: (435) 578 7411
_______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
