I'm trying to implement a Web Anonymizer (like ktunnel) in java, but I really could not get the idea, I need some information about how a web anonymizer works. I really do not need the source or a sample application, just the idea or a tutorial explaining the anonymizer idea.
Thanks.
A basic anonymizer just acts as an encrypted proxy, creating an encrypted "tunnel" between a proxy server and a client, where all traffic from the client goes through the proxy. This accomplishes 3 things:
The client cannot* be determined by looking at traffic between the proxy and endpoint. Hosts on the other end just see the proxy server.
The content of a client's traffic is hidden from monitoring, because the connection to the proxy is encrypted.
It is impossible* to determine the endpoint for traffic originating from the client, because all of it appears to go to the proxy only.
*In reality, a simple anonymizer doesn't provide full protection, because if you look at the amount of traffic between client and proxy, and the traffic between proxy and various sites, you can associate a specific client with their traffic. This is called traffic analysis.
Fancier anonymizers, such as Tor, provide protection against traffic analysis and a lot of other techniques to break anonymity, BUT that's really beyond the scope of the question.
From your point of view, all that matters is writing the proxy software. Your program should be able to create and manage encrypted connections to clients. This means it needs to be able to (securely) initiate an encrypted connection to a host, pass on connections to external hosts, and then pass traffic back and forth. Basically, it needs to act as a router.
There are protocols in place for how to accomplish this -- I suggest you read up on the SOCKS protocol, or Tor. Your best bet if this is a learning project is to write basic SOCKS proxy software. If this is for actual use, there should be libraries in Java that provide the necessary services.
EdiT:
Ktunnel is a less fancy proxy -- it uses a CGI script to redirect information from a URL back and forth. Basically, you enter an address, it fetches the page for that address, and sends it to you. Fairly simple, actually.
I don't know ktunnel, but for basic information about anonymity networks have a look at Tor at wikipedia.
Related
I am a newbie in network programming in C# and I want to create a proxy server which can be used to restrict users from connecting to internet if they have exceeded the download limit.
My current config is ---- User -> proxy server -> wifi router -> internet.
I searched everywhere and I found that HTTP proxy can be created but it is very hard to create a HTTPS proxy in C#
Even the c# library like Trotinet and mentalis does not support the HTTPS proxy.
But I found that there are many library in JAVA like little proxy that support HTTPS connection.
So, Is it possible to create a fully functional proxy in C#? or should I try switching to JAVA?
One More question. Can I create a simple TCP client read its networkstearm and forward that stream as it is to wifi router without need to read its header or anything, will this method work? Just a guess, sorry for noob question.
Thanks
Answer for your first question : YES, you can create full functional HTTPS proxy with C# (similar to Fiddler). No need for changing to Java. Just for testing purpose you can use Fiddler Core. Fiddler core is a complete HTTPS Proxy written in C#. If you have time and knowledge, do reverse engineering by using reflector on fiddler core and get some idea about implementation.
Last commit on Trotinet has a shy implementation of HTTPS pass thru. So unless you dont want to decrypt the https data, Trotinet will be a good choice.
-Kumar
I'm writing a server-client application where communication is done over the internet and I have several questions and concerns regarding security. I have done some research and found some posts here useful, but I would like more information. Some related questions I read were:
Secure authentication of client over RMI
java rmi authentication & security. exportObject makes it public?
Is communication in java rmi secure?
I have 3 parts to consider:
Information exchanged between the client and the server.
Authentication of the client.
Exploiting a running RMI server (hacking etc.).
What I know:
RMI over SSL. Using SSL sockets instead of the default socket would encrypt all information passed between the client and the server. This includes the objects exchange and method calls.
Authentication using username/password combination over SSL before RMI connection has been established. To my understanding there was supposed to be a way to authenticate inside the RMI connection but it was voted down.
Not too sure what can or needs to be done here. I do know that you can't just write your own client and ask to connect to the server since you need an ObjectID and the remote interfaces. However, is it not possible to decompile the classes \ interfaces you need since they are sent in RMI anyway? I also saw this Youtube video [http://www.youtube.com/watch?v=otjllNaBxiw] while researching and it got me worried with how easy it is, although I don't know if the server was not setup correctly.
All in all, are there other security issues I need to consider in RMI over the internet? Am I missing a solution I need to look at? Is what I already know wrong?
Information exchanged between the client and the server.
RMI over SSL.
Authentication of the client.
Authentication of the client is done by SSL. You mean authorisation, which is 'relatively' easy. Define your own RMIServerSocketFactory that returns an ServerSocket override whose implAccept() method wraps the socket in an SSLSocket, to which you add a handshake listener and set needClientAuth to true on it (and clientMode to false). Your handshake listener should then get and check the client certificate from the SSLSession, to see if the identity it authenticates is authorised, and simply close the socket if non-authorised.
Authorising the server, in the client, is on the other hand baroquely complex. You really need the JERI API in Jini to do it properly.
Exploiting a running RMI server (hacking etc.).
I won't go so far as to say it's impossible, but it's extremely difficult, and there are several strong lines of defence. You need the ObjectID, which is random, and can be made securely random, and you need the classes. Classes and interfaces aren't sent in RMI unless you specifically enable it, and they are sent by a side channel that you can secure arbitrarily strongly, for example with two-way-authenticated HTTPS. So you can't get those. Then you need to get yourself authorised, which basically requires compromising the server. And if that's possible, anything is.
I'm working on the Java backend for a Flash webgame - the client and server communicate using Action Message Format (AMF). A few weeks ago, another team in our company had their product hacked by a user who decompiled the Flash client, and used an altered version to flood the backend with bogus requests. We want to prevent this kind of attack in our new game.
(More details: webserver used is Tomcat, AMF client is BlazeDS.)
I'd like to know what the best way to prevent this kind of attack would be. Some ideas I had:
the nginx configuration seemed like the best place to handle rate limiting, but I cant find any resources on how nginx interacts with AMF. Do the AMF requests just get sent straight to Tomcat?
most requests involve a userId param for the relevant user. Rate-limiting requests involving overused userIds might be one approach - however, an attacker who just wants to flood the server could easily spam random userIds.
doing the same as above but using IP addresses in place of userIds could work. However, I can't tell if it's possible to get the IP address from an AMF request.
Your Java application should pass unique identifier to the firewall of host operating system and block that client. With this action you would be able to prevent your application from working on things that it isn't supposed to do (being a firewall).
What I mean is like servers on video games. You can run an application and it will set up a server on your computer with an IP and a port.
For example, how would you make an application where one host application sets up a thing where it has an IP and a port, and another computer that has access to the internet as well can type in the IP and port and it would be able to communicate with the host? I mean simple communication, like sending a boolean or String.
And would there be any security problems that would be needed to fix?
I guess I grasp the concept of your question...
You want two computers to connect via internet right? If that is the case, then you will have to use a thing called "sockets" that do connections between computers. About the server thing, well, for starters the client must always know what IP the server as (direct IP or by a DNS), and then you can connect your client to your server. There is a tutorial for sockets at the java pages: http://download.oracle.com/javase/tutorial/networking/sockets . About security issues, well, you must make sure that your server can handle anything that comes from the client (i really mean everything), i mean, accepting every type of data that is supposed to receive and deny everything that is not (trash per say). If you have that in mind then there is no problem (and of course, the server must have a firewall also to control the sockets, but that's not up to you).
Here is an example of how to use sockets to send a string from a server to a client.
http://www.java2s.com/Code/Java/Network-Protocol/StringbasedcommunicationbetweenSocket.htm
The site has about 20 examples of how to do what you are trying to do. In general I find this site to be the best JAVA resource that I know.
In general, the thing you probably want is a Socket. Sockets allow you to send bytes to an endpoint via TCP or UDP. This is very low-level, though, and are somewhat tricky because you have to design your own application protocol. You may want to use something that offers more abstraction.
Java sockets expose a stream interface so you could just encode integers as strings, for instance, and send them line by line, or you could do something fancier and more efficient like using a DataOutputStream to wrap it.
Handling the following issues can improve security.
If you have router ,set different ports for routing.
Example: If you are running server say on port 6001, map a virtual port say 9001 , which would be exposed to public.
DDos
IP Restriction - Not every user can access your machine !
Enabling router firewall does handle most of the issues.
I have java web application to which I'd like to add emailing capabilities, however, I'm unsure what is needed to accomplish this. Specifically I want my app to be able to:
Send emails confirming sign-up
Allow users to send emails to one another, using my app's domain i.e. dan#my-app.com
From my research it seems I'll need a mail transfer agent (MTA) like Postfix and possibly a IMAP server like Courier; but I don't understand the need for the IMAP server.
Thanks.
You need code inside your web app to create and dispatch the email into the SMTP-world. Usually JavaMail is used for this, and you can either enclose it in your web application or (preferred) have the web container provide a correctly configured instance through JNDI. This is vendor specific.
If you do not have a SMTP-server for JavaMail to connect to (frequently this is Exchange for Windows shops), you can either get one running (ask your IT administrator) or use Google Mail or Hotmail or others if it is ok for your web application to send mail through them. It is a bit tricky to use GMail as a SMTP-server, but when set up correctly works very well.
You will need the SMTP-server, as it handles all the boring details regarding MX records and resending if the SMTP-server does graylisting, etc. etc.
Oh, and IMAP is for getting delivered mail, not sending mail. You don't need it.
If it's a Java web app, then the server part is a servlet. Given an email message sent from a client form, your server needs to send that text off as an email.
There's code in the Java EE stack to do this, or you can specifically download JavaMail. This will allow your programs to act as mail clients.
Your MTA receives messages from your servlet and sends them to the users. So far so good.
But you also need a postbox, i.e. the equivalent of a mail in-box for your users. Postfix, QMail and others offer a basic "flat" mailbox model, where mail is simply stored until the client picks it up, and then (usually) deleted. Access is via POP3. IMAP offers a lot more organizational capability, i.e. the ability to specify hierarchies of nested mailboxes, to transfer mails between them and so on. You probably won't want to create a GUI front end to all that complexity, so I'd guess you don't really need an IMAP server. You do, however, want a relatively simple POP3 server to allow your servlet to access the mailboxes via TCP/IP. This is usually part of the "standard" email server packages.
To have your own domain known to the world, you need access to the MX records of your DNS service, i.e. you have to set up one or two of your hosts, on an Internet-facing address, to be your post office.
Finally, if you want to save yourself a lot of trouble, be very careful in configuring your MTA (SMTP server) such that there is no chance for it being used as an open relay. i.e. it should not be possible for your users to send mail to the outside world in general (or hackers will find a way to abuse your Web interface to do this), and mail from the Internet should not reach your users. Most importantly, there should be no way for mail from the Internet to be forwarded to someplace else in the Internet. Find an open relay testing service (they're free) on the 'net and get one to run a test on your configuration once you think you're done.
EDIT:
Looking at Thorbjorn's answer, I realized you probably don't want your users receiving their mail through your app; they probably already have email providers and accounts of their own. In that case, you don't need to worry about inbox capability or a POP3 server. You could consider offering full email services at your domain but that's a very thankless job and if you have any choice, leave that dirty work to GMail, Yahoo, Hotmail and their ilk. Whatever service you provide will never please your customers enough, and you'll be fighting spam and other crime every day.
For starters your server has to have mailing abilities. In linux land sendmail is usually what this will be.
Additionally, check out javaMail.
http://www.oracle.com/technetwork/java/index-jsp-139225.html