Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Proxy Caches are a Challenging Threat to Internet Security
Special Forums News, Links, Events and Announcements Complex Event Processing RSS News Proxy Caches are a Challenging Threat to Internet Security Post 302243384 by Linux Bot on Sunday 5th of October 2008 06:50:03 AM
Old 10-05-2008
Proxy Caches are a Challenging Threat to Internet Security
Tim Bass
10-05-2008 03:41 AM
Proxy caches, combined with poorly written session management code, can easily leads to serious security flaws similar to what we highlighted in A New Security Breach in Google Docs Revealed.

Web developers have no control over proxy caches in the Internet. However, developers do have control of the code they write and their admin teams have configuration control of their web servers. Developers must assume the worst case Internet scenario with aggressive Internet cache management policies that serve cached data for economic and performance reasons.

As a consequence, this fact-of-life on the Internet sometimes results in multiple web clients being sent the same Set-Cookie HTTP headers, for example.* Caching proxy servers should obtain a fresh cookie for the each new client request. Ideally, proxy caches should not cache session management cookies and distribute cached cookies to multiple clients. However, application developers cannot assume that proxy caches are well behaved, especially for applications where security and privacy are required.

Web developers cannot know whether their content is consumed directly or via a proxy cache. Developers also cannot assume that the HTTP responses will be delivered to the intended browser. Moreover, developers cannot be sure that the intended browser even receives the intended content.* For example, a session ID issued to a client gets used while it is valid or until abandoned and expired. If it is served and delivered in response to an unencrypted HTTP GET request, there's no guarantee it will be consumed by the intended web browser.

Ideally, SSL should be used on all web transactions that require confidentiality and privacy, including our recent Google Docs breach.* On the other hand, even SSL is not foolproof. For example, many web developers do not correctly set the “Encrypted Sessions Only” cookie property. These incorrectly configured “secure” servers will send HTTPS cookies in the open, unencrypted.

There be dragons …


Note: Reposted from the (ISC)2 blog.</p>

Source...
 

2 More Discussions You Might Find Interesting

1. Linux

SFTP an internet address from a system behind an internet proxy

I was wondering if it is possible to setup SFTP to go through the internet proxy while connecting to an internet location. Problem: Client system is behind internet proxy. SFTP to any internet location fails as there is no documented way to configure SFTP to connect to internet locations through... (4 Replies)
Discussion started by: toobrown1
4 Replies

2. What is on Your Mind?

The Insider Threat in IT Security

Over my very long career in unix and linux system programming, network security, network system engineering, and cybersecurity as a whole, the number one threat to any organization is what we refer to as the "insider threat". Disgruntled employees, dissatisfied team members, lax security... (0 Replies)
Discussion started by: Neo
0 Replies

LEARN ABOUT SUNOS

ssh-http-proxy-connect

ssh-http-proxy-connect(1)					   User Commands					 ssh-http-proxy-connect(1)

NAME

       ssh-http-proxy-connect - Secure Shell proxy for HTTP

SYNOPSIS

       /usr/lib/ssh/ssh-http-proxy-connect [-h http_proxy_host] [-p http_proxy_port] connect_host connect_port

DESCRIPTION

       A  proxy command for ssh(1) that uses HTTP CONNECT. Typical use is where connections external to a network are only allowed via a proxy web
       server.

OPTIONS

       The following options are supported:

       -h http_proxy_host      Specifies the proxy web server through which to connect. Overrides the HTTPPROXY and http_proxy	environment  vari-
			       ables if they are set.

       -p http_proxy_port      Specifies  the  port  on which the proxy web server runs. If not specified, port 80 is assumed. Overrides the HTTP-
			       PROXYPORT and http_proxy environment variables if they are set.

OPERANDS

       The following operands are supported:

       http_proxy_host	       The host name or IP address (IPv4 or IPv6) of the proxy.

       http_proxy_port	       The numeric port number to connect to on http_proxy_host.

       connect_host	       The name of the remote host to which the proxy web server is to connect you.

       connect_port	       The numeric port number of the proxy web server to connect you to on http_proxy_host.

EXAMPLES

       The recommended way to use a proxy connection command is to configure the ProxyCommand in ssh_config(4) (see  Example  1  and  Example  2).
       Example 3 shows how the proxy command can be specified on the command line when running ssh(1).

       Example 1: Setting the proxy from the environment

       The following example uses ssh-http-proxy-connect in ssh_config(4) when the proxy is set from the environment:

       Host playtime.foo.com
	   ProxyCommand /usr/lib/ssh/ssh-http-proxy-connect 
	       playtime.foo.com 22

       Example 2: Overriding proxy environment variables

       The following example uses ssh-http-proxy-connect in ssh_config(4) to override (or if not set) proxy environment variables:

       Host playtime.foo.com
	   ProxyCommand /usr/lib/ssh/ssh-http-proxy-connect -h webcache 
	       -p 8080 playtime.foo.com 22

       Example 3: Using the command line

       The following example uses ssh-http-proxy-connect from the ssh(1) command line:

       example$ ssh -o'ProxyCommand="/usr/lib/ssh/ssh-http-proxy-connect 
	   -h webcache -p 8080 playtime.foo.com 22"' playtime.foo.com

ENVIRONMENT VARIABLES

       HTTPPROXY	       Takes the http_proxy_host operand to specify the default proxy host. Overrides http_proxy if both are set.

       HTTPPROXYPORT	       Takes the http_proxy_port operand to specify the default proxy port. Ignored if HTTPPROXY is not set.

       http_proxy	       URL format for specifying proxy host and port.

EXIT STATUS

       The following exit values are returned:

       0	Successful completion.

       1	An error occurred.

ATTRIBUTES

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWsshu			   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Stable			   |
       +-----------------------------+-----------------------------+

SEE ALSO

       ssh(1), ssh-socks5-proxy-connect(1), ssh_config(4), attributes(5)

SunOS 5.10							    24 Oct 2001 					 ssh-http-proxy-connect(1)
All times are GMT -4. The time now is 08:24 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy