Mathwiz Posted January 6, 2017 Share Posted January 6, 2017 (edited) Yes, I think that could be set up; but the way it works, there's still SSL/TLS encryption between the browser and the proxy, so you can't get rid of all the work on the browser's PC. I suppose the trick would be to limit the browser to some less-CPU-demanding ciphers. You wouldn't need super-strong encryption on the browser side since the data would only be flowing over your own network, not the Internet. Perhaps RC4 would be a good choice, even though it's not a good choice for the Internet side anymore. Edit: Well, I just learned something new. Turns out some of the newer Intel and AMD CPUs have AES-specific instructions, making AES faster than RC4! But, if you have one of those new CPUs, you have SSE2 also, so you can run newer browsers and probably don't even need this proxy. So for the browser side, RC4 is probably the best choice if you're reading this thread. Edited January 6, 2017 by Mathwiz Link to comment Share on other sites More sharing options...
heinoganda Posted January 6, 2017 Share Posted January 6, 2017 (edited) @Mathwiz Have made various tests with "ProxHTTPSProxyMII", as far as it works wonderful with ECC encrypted websites. For "BYPASS URL" in the file "config.ini" I made the following entry "http://*", so that there is no error message in the browser for simple URL input. Furthermore, I have replaced the MSVCR100.dll file with the more recent version of Microsoft Visual C ++ 2010 Redist update from 09/08/2011 version 10.0.40219.325. It is important to know that Firefox and Java 8 have their own certificate management. Now with Windows and Firefox it is not a problem to install the included root certificate (CA.crt), but Java has its problem here, any malicious software would find its way to the computer, which was originally excluded in Java 8 (Older versions of Java must be configured accordingly!) by the restrection Only certified websites work with Java! Of course, regular websites that support Java 8 (Older versions of Java must be configured accordingly!) do not work with "ProxHTTPSProxyMII" anymore! Except this attributed root certificate would find its way into the certificate management of Java with impending consequences. The whole thing should be used with caution! Things like online banking, should absolutely be omitted! In the worst case, fake websites would also find their way in the Internet browser, so be careful! Here an additional software in the file "config.ini" should be automated under "BLACKLIST", regularly updated using the malware list of http://www.malwaredomainlist.com or adequate, in order to build at least a certain protection again. Edited January 6, 2017 by heinoganda Link to comment Share on other sites More sharing options...
Mathwiz Posted January 6, 2017 Share Posted January 6, 2017 Thanks for working on this! I'm handling Http:// (not secured) requests another way: I configured my browser to use ProxHTTPSProxyMII as its proxy only for https:, not for http:. Different technique but same result. I've run into some web sites that don't work. Microsoft/Windows Update doesn't work because Microsoft uses its own root certificate that isn't in the supplied cacert.pem or the downloaded one. Rather than appending Microsoft's root certificate every time I download a new cacert.pem, I just put update.microsoft.com and www.update.microsoft.com in the SSL Pass-Thru section of config.ini. (Oddly, catalog.update.microsoft.com does work with the proxy; it uses a different certificate whose root is in cacert.pem.) Adobe.com didn't work either, although I haven't yet figured out why. But generally, if a web site works without the proxy but doesn't work with it, SSL Pass-Thru is a quick and easy fix. Sites listed there are not decrypted and re-encrypted; instead, encrypted SSL data is passed through the proxy unchanged. For the most part, I don't think the proxy compromises security, and in some cases it may actually improve it! I wouldn't be too worried about using it even with on-line banking sites. But SSLlabs.com reports that it's vulnerable to the Logjam attack, so if you're worried about that you can list your bank's site in SSL Pass-Thru. I haven't been using this as an anti-malware filter, but the Blacklist section could certainly be used for that purpose if one wished. Link to comment Share on other sites More sharing options...
Ninho Posted January 6, 2017 Author Share Posted January 6, 2017 @Mathwiz, All : as the originator of this thread, just wanted to "plus-one" that the "ProxHTTPSProxyMII" (.exe compiled version) + Proxomitron is working here and has been easy to set-up and configure thanks to your added remarks and caveats, solving the original problem. Congratulations added for your rather remarkable searching... and finding skills ! 1 Link to comment Share on other sites More sharing options...
Sfor Posted January 8, 2017 Share Posted January 8, 2017 It seems the ProxHTTPSProxyMII teamed with The Proximitron can add the TLS 1.2. I was able to confirm it with IE 8. While trying to get the thing working I noticed an interesting option in the The Proximitron version Naoko 4.5. In "config" - "HTTP" section there is "Use SSLeay/OpenSSL to filter secure pages (requires ssleay and libeay23 DLL files)". It seems there is option to filter the HTTPS without ProxHTTPSProxyMII. But, I was unable to provide The Proximitron with the DLL libraries it would be satisfied with. So, perhaps just The Proximitron could do the TLS 1.2 conversion. Link to comment Share on other sites More sharing options...
Mathwiz Posted January 8, 2017 Share Posted January 8, 2017 (edited) 10 hours ago, Sfor said: While trying to get the thing working I noticed an interesting option in the The Proximitron version Naoko 4.5. In "config" - "HTTP" section there is "Use SSLeay/OpenSSL to filter secure pages (requires ssleay and libeay23 DLL files)". Try one of the light installers here (I'm not sure which version The Proxomitron expects, though; start with the newest 1.1.0 and back up until one works): Quote You can get installers for the latest OpenSSL versions for Windows at https://slproweb.com/products/Win32OpenSSL.html. (Despite the name, they also have 64-bit versions available.) Edited January 8, 2017 by Mathwiz Link to comment Share on other sites More sharing options...
jumper Posted January 10, 2017 Share Posted January 10, 2017 It only works with 9.6 or the special build of 9.8 on the Proxomitron website. This feature is obsolete by almost ten years...I wouldn't bother. Link to comment Share on other sites More sharing options...
Mathwiz Posted January 11, 2017 Share Posted January 11, 2017 (edited) On Friday, January 06, 2017 at 10:07 AM, Mathwiz said: For the most part, I don't think the proxy compromises security, and in some cases it may actually improve it! I wouldn't be too worried about using it even with on-line banking sites. But SSLlabs.com reports that it's vulnerable to the Logjam attack, so if you're worried about that you can list your bank's site in SSL Pass-Thru. I've confirmed that the Logjam vulnerability can be fixed. Apparently the .exe version includes an old, vulnerable version of the OpenSSL libraries. So, I decided to try the Python version. I downloaded and installed the latest XP-compatible Python version, 3.4.4. (Technically, there's a 3.4.5 also, but it's source code only; no Windows installer exists. So if you want Python 3.4.5, you'll have to build it from source yourself.) Then I downloaded the Python version of ProxHTTPSProxy and tried to run it from a command window, but it started complaining about missing packages. So I had to learn how to install all the packages the author had used, using a Python tool called 'pip;' but eventually, it finally ran without complaining about any more missing packages. I then pulled up https://www.ssllabs.com/ssltest/viewMyClient.html in IE 8 and the news was good: "Your user agent is not vulnerable" to Logjam or any other attack tested for at that site! I got this good result with OpenSSL version 1.0.2j .DLLs. For most folks, I don't think it's worth the trouble to download and install Python along with all those missing packages; it's easier to just put banking sites in the SSL Pass-Thru section (so they use the browser's security instead of the proxy's security), or just use a different browser for those sites. I did this just to confirm that the Logjam vulnerability was present due to the OpenSSL version the original author used. Edited January 11, 2017 by Mathwiz WYSIWIG editor locked up after entering one sentence 1 Link to comment Share on other sites More sharing options...
Monroe Posted January 11, 2017 Share Posted January 11, 2017 (edited) In reference to Proxomitron and the ssleay and libeay23 DLL files. There is a special set of these two DLL files that were modified by Sidki some time back. Having used Proxomitron for over 10 years and when Scott R. Lemmon was still alive. I have been using the Sidki set of filters. In November I tried using the latest set of the new ssleay32 and libeay32 DLL files just to see how they would work ... they didn't. I put the Sidki modified files back into Proxomitron. When members started talking about Proxomitron here ... I searched for the files at the Proxomitron forum and could not find them. I will search again ... Sidki has long left the scene as he announced that he was leaving over five years ago. He did something with those DLLs that will only work in Proxomitron ... his filter set is still the best and JJoe and ProxRocks continue to modify and fix the Sidki last set of filters as problems arise. I found this text from sidki, Oct 1 2006: http://proxomitron.info/files/download/openssl-readme.txt These DLLs were compiled after modifying some files, making them compatible with 0.9.6 aware programs like Proxomitron. All changed files are included with this distribution. The original changes were done by netlaw in June 2003, bringing back OpenSSL_add_all_algorithms. OpenSSL 0.9.8a brought a major change in the way SSL_METHOD is initialized, apparently breaking backwards compatibility again, see:http://www.openssl.org/news/changelog.html For this reason the included DLLs stick to 0.9.8, but include two security patches, implemented in the official 0.9.8c revision and above: Patch for RSA Signature Forgery.http://www.openssl.org/news/patch-CVE-2006-4339.txt Patch for Potential SSL 2.0 rollback.http://www.openssl.org/news/patch-CAN-2005-2969.txt In case of future major vulnerabilies, if you found a patch from a trusted source, or even a way to make DLL initialization backwards compatible again, you can reach me at configbugs at gmail dot com. Asking someone with profound C++ knowledge may be the better choice tho. ;-) A general description and installation hints are on my SSL download page:http://www.geocities.com/sidki3003/prox-ssl.html -- sidki, Oct 1 2006 The Sidki files are on this page under Add Ons ... just found them. http://proxomitron.info/files/index.html ... Edited January 11, 2017 by monroe spacing, spelling Link to comment Share on other sites More sharing options...
jumper Posted January 12, 2017 Share Posted January 12, 2017 (edited) The modified 0.9.8 package contains three small source files--one for OpenSSL_add_all_algorithms and one for each of the two patches. Very simple. If I can recreate the modified package using MSVC6, then it should be easy to update it with three more 2007 patches listed at http://web.archive.org/web/*/http://www.openssl.org/news/*. The changelog states: Changes between 0.9.8 and 0.9.8a [11 Oct 2005] *) Initialize SSL_METHOD structures at compile time instead of during runtime, thus removing the need for a lock. [Steve Henson] We can probably port the old init code (with lock) forward, or do it in the DLL init. If so, we might be able to go all the way to 0.9.8zh.... Edited January 12, 2017 by jumper Improved formatting 1 Link to comment Share on other sites More sharing options...
Monroe Posted January 13, 2017 Share Posted January 13, 2017 (edited) Just a suggestion ... if you have a few free minutes, why not sign up over at the Proxomitron forum and then under the Sidki topic ... maybe bring this subject up or ask a few questions. As I mentioned earlier ... JJoe and ProxRocks are still there and will show up in a 'few minutes' or a 'few days' to reply. It seems to still be the only active part of the forum. The Un-Official Proxomitron Forum http://prxbx.com/forums/ Proxomitron Config Sets Sidki http://prxbx.com/forums/forumdisplay.php?fid=44 ... just to add, I can be of no help here ... what you mentioned earlier is not clear to me or 'just over my head'. Edited January 13, 2017 by monroe add Link to comment Share on other sites More sharing options...
Mathwiz Posted January 13, 2017 Share Posted January 13, 2017 1. I should point out it's rather easy to use ProxHTTPSProxy without the Proxomitron: just change the line ProxAddr = http://localhost:8080 to ProxAddr = http://localhost:8081 ... so its front server connects directly to its rear server without trying to go through the Proxomitron. 2. I finally figured out which OpenSSL version is included in the standalone (.exe) version of ProxHTTPSProxy. It's OpenSSL 1.02a. As luck would have it, the Logjam vulnerability was fixed in the very next release (1.02b), so the .exe version is indeed vulnerable to that attack (the message from ssllabs.com isn't a false alarm). 3. If you install Python along with all the packages needed to run the Python version of ProxHTTPSProxy, the "cryptography" package will come along for the ride at some point. Turns out it includes OpenSSL 1.02j, so you don't actually need to install OpenSSL for either the .exe or the Python version! The developers of the cryptography package have promised to update it whenever OpenSSL updates their product, so you should upgrade the cryptography package whenever that happens to stay on the most current OpenSSL version. I believe the command to do that is pip install -U cryptography from an XP command prompt. (This assumes Python is in your path.) 1 Link to comment Share on other sites More sharing options...
heinoganda Posted January 16, 2017 Share Posted January 16, 2017 Have "ProxHTTPSProxy", with Python version 3.4.4, made to an executable program (x86). Tested under Windows XP and Windows 7 with positive result. Furthermore I have it not to a single file but in a directory generated where possibly various modules are interchangeable. If anyone has interest please write a PM to me. 1 Link to comment Share on other sites More sharing options...
Sfor Posted January 20, 2017 Share Posted January 20, 2017 On 13.01.2017 at 11:36 PM, Mathwiz said: 1. I should point out it's rather easy to use ProxHTTPSProxy without the Proxomitron: just change the line ProxAddr = http://localhost:8080 to ProxAddr = http://localhost:8081 ... so its front server connects directly to its rear server without trying to go through the Proxomitron. But the IE does not connect to http://www.google.pl/ in such a case. Quote 400: Bad Request The following error occurred while trying to access http://www.google.pl/ The proxy setting of the client is misconfigured. Please set the HTTPS proxy port to 8079 and check the Docs for other settings. With Proximitron in the middle, the http connection is redirected to https without problems, so there is no "Bad Request" message, then. Link to comment Share on other sites More sharing options...
heinoganda Posted January 20, 2017 Share Posted January 20, 2017 In the Internet explorer the proxy settings made under secure "127.0.0.1:8079" or "localhost:8079", as well as the root certificate (CA) installed (with the Firefox browser under certificate administration)? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now