# [SOLVED]Surf from work without big-brother-company-bofh watc

## aztech

Today I'm "running" CGIProxy on my server at home, that I can use from the outside

to surf anywhere I want. Great ..

But when at work, I want to surf trough a proxy on my homeserver and keep my

traffic between my work-pc and homeserver totaly "anonymous".

As in .. SSL/HTTPS work <-> home, but also to make requests to the proxy

"secret"/encrypted.

When using CGIProxy, my url-requests look like this ..

https://my.homeserver.org/cgi-bin/nph-proxy.cgi/000010A/http/www.google.se/

I would like something like this instead ..

https://my.homeserver.org/cgi-bin/nph-proxy.cgi/<totally_not_understandable>

You get me ?

/ andreasLast edited by aztech on Mon Jun 15, 2009 2:08 pm; edited 1 time in total

----------

## NeddySeagoon

aztech,

Think about what https:// means.

The link from your work system to your cgi server is encrypted.  To an eavesdropper, they cannot get at the sites you are browsing.

Howerver, you will stand out like a sore thumb in traffic analysis for sending a lot of traffic over https:// that alone may be cause for investigation.

----------

## aztech

 *NeddySeagoon wrote:*   

> aztech,
> 
> Think about what https:// means.
> 
> The link from your work system to your cgi server is encrypted.  To an eavesdropper, they cannot get at the sites you are browsing.
> ...

 

Yes I know what you mean, but is the url-request really encrypted also ?

I thought that only the "data" was encrypted here ...

But if it is, I already have what I want then =)

----------

## NeddySeagoon

aztech,

Everything is encrypted between the two machines at the ends of the https:// link.

It better be, I use it for on line banking.

The from and two IP addresses can be monitored as the traffic is sent as encrypted packets over TCP/IP,

so your machine at work will be identified as a source of an unusually high amount of traffic on port 443 and the destination IP will be known too.

If it wasn't, you would never get any packets back from your cgi proxy.

You should expect IT to tap you on the shoulder to ask about whats happening or to block your access to port 443.

----------

## think4urs11

 *NeddySeagoon wrote:*   

> Everything is encrypted between the two machines at the ends of the https:// link.

 

as long as no ssl-intercept is in use. If the IT knows their stuff it is hard to notice for a non-paranoid user and if not a lot of users don't think about SSL errors and click 'accept' anyways.

SSL-Intercept breaks the end2end-encryption and sits in between server and client as some kind of mitm playing server/client to the according opposite end on its own.

----------

## gentoo_ram

I do my websurfing from work over an SSH tunnel.  Running SecureCRT on my work windows box to home, forward a TCP port.  Tell my browser on the Windows box the proxy is on localhost:(forwarded port).  Then it goes through squid running on my box at home.  Encrypted to Big Brother at least.

Firefox -> SSH tunnel =====> SSH Server -> Squid -> Internet.

----------

## Mad Merlin

Complete URLs are not sent in plaintext via SSL, only the hostname/IP address is.

----------

## szczerb

TOR?

[url]http://en.wikipedia.org/wiki/Tor_(anonymity_network)[/url]

----------

## aztech

 *szczerb wrote:*   

> TOR?
> 
> [url]http://en.wikipedia.org/wiki/Tor_(anonymity_network)[/url]

 

Well .. as I concluded earlier, the current solution works just fine.

----------

## cach0rr0

disclaimer: I may have these steps a bit munged, but the basic idea is correct

in order to initiate an SSL/TLS session, you first have to send a CONNECT

This CONNECT is the only thing that takes place cleartext. 

The cert exchange then takes place, and from there on out your GET/POST/HEAD/etc requests take place via an encrypted socket. 

All that your IT staff will see, are a number of CONNECT requests to your proxy at home. The final request-URI (e.g. the site you're using the proxy to access) is *NOT* sent in this CONNECT request. It is going to be sent in one of the subsequent requests, using a different request method (i.e. not "CONNECT") over an encrypted channel. 

In other words, so long as you haven't unknowingly - and you would know - accepted your company's monitoring software's certificate, they aren't going to be able to see your traffic; thus, your information is safe

----------

