Jump to content

Problems accessing certain sites (Https aka TLS)


Recommended Posts

There is no crypto.dll in XP or ReactOS. The Cert functions are handled in crypt32.dll. Tests with ReactOS files should include schannel.dll, mbedtls.dll, crypt32.dll, and advapi32_vista.dll (for crypt32.dll).

Link to comment
Share on other sites


Yes, sorry for the typo, I meant crypt32.dll

By the way, as to home banking, my XP is updated and I have Avast Premier with the full customer service support, which basically means that not only I'm protected, but if something screws up my computer (like a ransomware) the guys from Avast Support have to log into my computer and fix the problem. It's the same level of support that companies have.

My actual layers of protection:

Internet -> NordVPN (Open VPN Protocol with kill switch on the router) -> UFW (Linux Switch Firewall) -> Nod32 Premium (Linux Switch Antivirus) -> Windows XP Firewall -> Avast Premier Firewall -> Avast Premier Antivirus.

I'm pretty confident I'm far more protected than many people running W7/8/8.1 or 10 who don't update anything, especially because Avast Premier is a pretty reliable product itself, but making it work as a second layer of security after Linux... well... simply makes my computer safe. You may be arguing that these layers of protection slightly slow internet down, but my speed is 2400 kB/s in download and 1600 kB/s in upload and is more than enough. As to the ping, I stopped playing games in 2012, 'cause when you start thinking about having your own family, you stop playing games and you grow up, so I don't really care if it's slightly higher than normal 'cause I don't even notice.

Edited by FranceBB
Link to comment
Share on other sites

16 hours ago, FranceBB said:

Heinoganda did a really good job with his proxy: I have been using it in the past and it was really useful, but I stopped using it mainly because I still use XP to do home-banking and access to my investments and I don't know who owns the server.

Huh? It's a local proxy; the "server" is your own PC! I presume you own it, or at least control it....

Link to comment
Share on other sites

I see, so it's not like an old-fashioned proxy that sends all the traffic through a server somewhere in the world and gets it back, but it filters it internally in the machine.

If that's correct, then I'm gonna ask you to send me an updated version once again 'cause I'll start using it again. :D

Edited by FranceBB
Link to comment
Share on other sites

That's right. A little history: I originally found ProxHTTPSProxy on a forum for the Proxomitron (a local proxy for filtering ads). There was a need to break https: internally on the user's PC so Proxomitron could do its ad-filtering thing on secure Web sites, and then to re-create https: security so it would all be transparent to the Web browser.

I realized we could use it even if Proxomitron wasn't involved, in order to use newer https: protocols, ciphers, etc. with older browsers that have outdated security. Then Heinoganda took it over and has kept it up-to-date as OpenSSL (which it's based on) has evolved.

Link to comment
Share on other sites

But HTTPSProxy opens a door for MITM attacks, because the traffic is not encrypted on port localhost:xxxxx between front and rear server.

If it is possible, use a better SW that can do banking without any browser, and connect direct with the banking server.

I only use HBCI with a secur ID card and a card reader with an build in display and keypad for the pin.

Until today there is NO WAY to hack this banking transactions...

I use HTTPSProxy only for enabling XP and Outlook (Office) 2010 loading pictures and other stuff from TLS1.1/1.2 servers with higher cipher suites.

Also not so secure, but with a backup dosn't matter...

Edited by Thomas S.
Link to comment
Share on other sites

"traffic is unencrypted on localhost:xxxxx"

Assuming that you can access my Windows machine from the outside world and you can't. The Linux Switch I mentioned above makes sure that it stays in a NAT Network. In other words, all the devices connected to my subnet can talk to each other and to the NAS if enabled by the switch, but the switch makes sure that they stay in their own NAT and that they can't be accessible by the outside world and there's no port forwarding.

Edited by FranceBB
Link to comment
Share on other sites

12 hours ago, Thomas S. said:

But HTTPSProxy opens a door for MITM attacks, because the traffic is not encrypted on port localhost:xxxxx between front and rear server.

That is true, and I mentioned that at the time. But decrypted data never appears anywhere on the network; only within buffers on the PC running HTTPSProxy. Data to/from localhost isn't sent out the Ethernet port; it never leaves the PC.

A script injection attack wouldn't work either, because neither server listens on any external network address. So from outside the PC (say, a compromised router), it's impossible to tell HTTPSProxy is even running. So an attacker would need to get malware onto your PC to exploit this "vulnerability." But if an attacker has managed to do that, they could more easily read decrypted data directly from your screen or keyboard!

So unless you think Heinoganda has secretly installed malware in his updates, you really don't have much reason to worry.

Link to comment
Share on other sites

5 hours ago, Mathwiz said:

So unless you think Heinoganda has secretly installed malware in his updates...

:cool: Why do you think I think this? Never. I use HTTPSProxy (my own version, but doesn't matter :) )

My remark should show that there is no definitive security.

You can do whatever you want, there is always a way to get your data when you go into the internet (via a browser) - and catch malware.

And if you can go to internet and do banking with a browser the door is open - nothing helps, no firewall or router.

The only question is how difficult the way is for the malware, but there is a way...

Conclusion: do not think you are safe, regardless OS and patches!

Link to comment
Share on other sites

1 hour ago, Thomas S. said:

:cool:

Conclusion: do not think you are safe, regardless OS and patches!

Still, we are not in the 90s, nowadays it would seem unreal/a waste of time if I think about going to the bank to do basic things like checking a statement or paying my rent, paying Bills and so on. I mean, you have to get to your branch, sometimes it's close to where you live, sometimes it's not. If you live in a big city, you are better off using the tube 'cause it would be a nightmare going there with your car and... once you get there... there's probably a queue.

 

Anyway, it's just an example, but my point is: technology is here to help and we should use it. Sure, there will always be bad guys working in the background, but once you are protected from the most common mass attacks, why should you care? I mean, if you are not a very important and famous person or a company, it's unlikely that they would target you specifically. And even if you are a VIP and you implement very strong defensive protections, if an attacker is skilled enough, he will always find a way, just like the NSA does with terrorists and other suspects to protect the country (even on Linux).

 

Conclusion:

As things are now, overall, I think that XP users with updates, Firewall and antivirus are not less safe than Win7 ones, but again it always comes to common sense. :)

Edited by FranceBB
Link to comment
Share on other sites

  • 1 month later...

Hi all,

I have created a little suite of HTTPSProxy with a Launcher, that has multiple options and is full portable.

The reason was that I was not happy about several standalone solutions to manage the HTTPS connections in WinXP, so I edited an old project (SysTrayIcon) and adapted it to HTTPSProxy.

Also HTTPSProxy is as new as possible with little enhancements, see the documentation (changelog.txt)

Installation see Installation-Update_EN.txt or Installation-Update_DE.txt, it is very easy (only copy and run...)

You can read a detailed LauncherHelp_EN.txt (also in DE) attached, there are all options explained.

The programs, certs and tools are up to date!

Download link

pasword (full copy & paste do not work, type the last number!):

rzeYaSFFo8cqVv2

If you have trouble with install or usage please send me a PN.

I will help as soon as possible!

Information: it is a known issue / limitation, that some AV software detect the suite / some exe files as malicious, but it is not truth. The HTTPSProxy exe is build with Python / pyInstaller and the Launcher exe with Autohotkey. It seems that the "compilers" use code that is similar to some malicious software. Sorry, I can only say: if you don't trust this suite, don't install it... I can't solve this problem.

CU TS

Launcher - Options.jpg

Launcher - Proxy settings - Log GUI.jpg

New version of HTTPSProxy without bug (for information about the fixed bug see the next post).

HTTPSProxy_2018-11-06_OK.jpg

The python module / library versions are variables, read out and displayed at runtime.

 

Edited by Thomas S.
Link to comment
Share on other sites

Attention! BUG!!

There is a bug in the modules of python, which are used for the build of HTTPSProxy, that allow weak and unsafe ciphers.

You can test it yourself by open the site https://www.howsmyssl.com/ in IE8, it reports "BAD" because of this weak ciphers.

I have released today a update (under the same link, see one post before) for HTTPSProxy, which solve the problem.

You can install the update, but it is not really tested (but works, the bad ciphers are locked as is was before the bug.

I will test the update today and will give an info about in the late evening (DE time).

The new release is OK.

I have also updated the help and changelog files, all RootCA files are up to date.

New version:

HTTPSProxy_2018-11-06_OK.jpg.33c7a7a60f3c0a1430b7b956665e133a.jpg

The python module / library versions are variables, read out and displayed at runtime.

Old version with bug:

HTTPSProxy_2018-10-24_buggy.jpg

Edited by Thomas S.
update check ok
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...