[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Netscape the Big Win



-----BEGIN PGP SIGNED MESSAGE-----

I also agree that Netscape and similar browsers are a good target for
crypto applications.  I am working on a program (tentatively called
webcloak) which runs on your PC next to your browser.  You set the
proxy in the browser to point at this program.  This is a dialog box in
Netscape and I think most browsers have this support.  Then all of your
communications go through this program.

Unfortunately progress has been slow as I have been having to learn
Winsock programming and re-learn Windows programming.  But I do have a
dummy program working which will pass commands through.  It does not
encrypt anything yet but simply redirects commands to a web proxy running on
the net.  Soon I will work on adding encryption, but the next step is to
add dialog boxes to choose the web proxy to use.  Right now it is hard
coded in.

Someone posted recently that the formerly open web proxy at
http://www.proxy.aol.com:80/ is no longer responding.  Also, a list
member was running one for a while at http://spirit.aud.alcatel.com:8082/
but that is no longer working either.  I have been looking for proxies by
searching the incoming connection logs on this commercial system.  I
figure that some of the more frequently appearing hosts may be proxies.
I telnet to them on port 80 and type "GET http://sony.com/".  This is
just a URL I use because it is short.  Usually nothing happens but I have
found a couple of proxies that still work.  At this point I don't want to
publicize them because they might be shut down as a result.

I think running open web proxies (and another kind of proxy I will
describe in a future message) will be a good thing for Cypherpunks to do.
I know not everyone can do it; it takes more privileges and clout to keep
a server running than to drop in a mail filter.  But for those who do
have the ability to leave background processes running I think these will
be the remailers of the future.  I hope some list members will start
doing this.

As another solution, I have developed a Perl script which anyone who can
run CGI scripts can use to become a web proxy.  Fortunately (and somewhat
mysteriously) this commercial system lets me do that.  Basically if you
want to connect to http://www.mcom.com/ you instead connect to
http://www.portal.com/~hfinney/webcloak.cgi?http://www.mcom.com/.  The
name of the CGI script and "?" is prepended to the desired URL.  The
script then receives the part after the "?" as its argv so it opens the
URL and passes it back.  So if you can't run a server but can install CGI
scripts then you can run this "poor man's proxy".

Unfortunately the standard proxy protocol will not work transparently
with this; the CGI script and "?" pasting isn't done automatically by
browsers.  However my PC "webcloak" program does work with this kind of
proxy; it pastes the required prefix string at the front of each URL.  So
if people do start using this approach the CGI proxies may be part of the
solution.

Soon I hope to be far enough along to ask people to start testing some of
this software.  Once I get the webcloak program able to be reconfigured
by the end user I'll ask people to try it to see if it works on anybody
else's PC than mine.  It should hopefully work with anything that uses
Winsock.

Eventually I hope to see a lot of people running web proxies and privacy
proxies (which just pass requests through to other web and privacy
proxies - these are very simple connection redirectors, but do encryption
and decryption for privacy).  The end user can connect to a web site and
update his list of proxy servers.  Then when he fires up his local proxy
interface program it can ping the various servers and print a summary of
their response times.  He clicks on the ones he wants, setting up a
chain.  Only the last one in the chain needs to be capable of proxying
http requests, the others just pass data through.

The local program connects to each of the proxies and negotiates a
session key using PK encryption.  This will be cached and used over a
moderately extensive period of time, at least a few minutes.  We can't
possibly do a PK decryption for each link in a proxy for every .gif file
in a page.  That would be too slow.  So instead it will just send a cache
identifier to indicate which encryption key is in use.

This is all pretty ambitious as you can see, but I am trying to do it
incrementally.  Even a basic system without encryption and where the user
has to edit a text file to choose his proxy chain will provide some
privacy protection.  So I hope I will be able to interest people in
providing the infrastructure needed for privacy protection on the Web.

Hal

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQBVAwUBMA3umxnMLJtOy9MBAQHpSQIAvI/YB9JmGgwIaFWxCegAUtZ94eIHvOFU
wVQPdXlvaLup8Kjcx1wTPm/oib8u7Ema+6eb/MGsQWrnYtCO8emoew==
=zx5U
-----END PGP SIGNATURE-----