Threaded Mode | Linear Mode

Graycode · Oct. 17, 2011, 12:42 AM

(Oct. 16, 2011 11:17 PM)ProxRocks Wrote: "how" ?

I don't know about Proxo. It's something I inforce in my proxy, which is not Proxo.

You know there's a lot of open ("public") proxy instances out there. For normal SSL they might receive something like:

Code:

CONNECT www.example.com:443 HTTP/1.1

At that point the proxy would connect to that remote host's port :443 and begin a blind tunnel operation whereby (probably) encrypted content flows both ways.

But now consider when one of those proxies receives something like this:

Code:

CONNECT 127.0.0.1:445 HTTP/1.1

If the open proxy is stupid (many are) then the remote user will have an open channel for Microsoft-DS file sharing within the PC that the proxy's running on.

A more connom scenario would be something like:

Code:

CONNECT www.example.com:25 HTTP/1.1

Spammers love to relay through open proxies when they can, and the proxy's operator gets blamed for it.

I consider TCP port :443 to be strictly for SSL CONNECT and deny (block) its use for non-SSL. Then I restrict the SSL CONNECT to only port :443, with an exception list for a few destinations in a non-standard usage. An example exception would be where I allow tunneling of MS Messenger IM on :1863. Another example would be one of my routers that I can access its configuration with SSL via a non-standard port.

If, as in this case, some Yahoo page generates a non-SSL GET request to port :443, then I just say no. Activity like that would often be for malicious intent. But in Yahoo's case it's probably bugs in some HTML generator they wrote & recently modified.

An HTTP GET is not a CONNECT, even if it misleadingly specifies :443

Code:

GET login.yahoo.com:443/?.intl=us HTTP/1.1

I only brought this up in case it has something to do with the issues you're having with Yahoo login.