Nepal and proxies

[Charles Steinkuehler]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sean Crago wrote:
| On a more LUG-relevant note, the new ISP seems to be running some sort
| of Squid proxy, according to some "that host ain't responding" errors
| that explicitly stated they were coming from a Squid install. If they
| are running an HTTPS proxy as well then I am extremely nervous - Would
| anyone care to share a simple test to determine whether or not they
| are and, if possible, simple ways to bypass a transparent proxy?
| Bandwidth is scarce in Nepal, but I'm a touch more concerned about
| protecting my privacy than limiting my bandwidth consumption.

You need to look at the certificate of the site you're talking to.

It's possible to proxy/NAT/mangle https traffic w/o listening in on the
encrypted communication.  It's also possible to do a man-in-the-middle
decrypt/re-encrypt of the traffic to sniff the contents.

Baring any serious bugs in your crypto implementation, the way to tell
if you're talking securely to the site you intend is to examine the
certificate used to encrypt the traffic.  If the certificate (and hence
the public key) are trusted, it should not be possible for anyone to
listen-in on your communication, regardless of whether or not they have
access to the traffic (assuming, of course, that you trust public-key
encryption).

So...make sure the certificate for the far-end was issued to your bank
and not to some local Nepal company.   And pay close attention to any
pop-ups your browser throws about certificates.

...or contact the folks you want to communicate with ITRW and exchange a
few one-time pads.  :)

- --
Charles Steinkuehler
charles at steinkuehler.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIfLNbLywbqEHdNFwRAnjNAJ9cMEg+i0Y+e6dYF9BWRXlOata40wCgz7DO
blsrPPuHYoUWyJZR8Zq+r4w=
=rnuK
-----END PGP SIGNATURE-----