I need answer to one very basic question.
Is it necessary to have telnet access to hit an API while systems are connected over VPN? For example, if my system exposed an API for other systems to hit and they are connected in VPN using IPsec, does a third party system needs telnet access to my server for using that API? The API uses soap protocol for receiving request and sending response.
(I did not find out the solution using google. The question is so naive that I had to assume everyone must already know the answer and does not bother to discuss it in web. Sorry for bothering with this simple question)
This is very strange. Accessing an http endpoint for anything else than dev using telnet doesn't really make much sense to me. If someone is using telnet to fetch informations from a server in an application. Something is already really wrong. If telnet is timing out while doing http requests. It's not really your fault and you shouldn't have to worry about edge cases like this.
If the dev is using telnet to discover security issues. This is a different issue and you could probably log anything that come from this particular client. If you gave hime some credentials, it should be easy to find who is doing which request. (I believe you might be already doing this).
You should probably ask the dev "why are you using telnet?". If for whatever reason the dev though he could send a plain SOAP request to your server using telnet without sending HTTP headers and so on.... then yes the connection is likely to timeout because the server isn't going to handle the request.
In my twisted mind, I can imagine some kind of legacy application calling scripts that open telnet sessions to parse some data and return the "parsed" data to the patched legacy project that doesn't handle http/tcp. I'd have in mind some sort of old Cobol application. Much more easier to do system call than to rewrite the whole thing to support APIs.
If for whatever reason, the client claims that telnet is needed for whatever reason. You can tell him back that telnet shouldn't be considered secure. Your api can be accessed using https. As far as I remember telnet doesn't encrypt anything unless you send encrypted data. If your client was able to hack a solution using telnet, I'm pretty sure they can hack a different solution wich use an actual http client.
Related
So I have this server where I host more than one website for professional purposes. But I also like to develop game websites and I would like to create a roguelike game with HTML5.
The game engine itself would be developped in C++ on the server and the client should ask the server what changes in the environment after every move.
So, normally, I would send an ajax request to the server where apache would reroute the request to my C++ application which is running as a FastCGI Service. My C++ application would check the session, look up if the movement is valid, change the internal values so that the character moves, also changes other things in the environment, and would then send the changes back to the client.
But ajax requests can be relatively slow, opening and closing connections all the time. So when I read about websockets, I thought I was in heaven until I saw that it will interfere with Apache and Apache is not really optimized to work with it.
Obviously, I could create a web socket on a different port, but with all those firewalls out there, I don't think that's a good option.
So, is there a way to combine the two? Where apache is able to understand that a websocket request should be ignored and passed on to my application instead?
TL;DR
I want to set up a local HTTPS proxy that can (LOCALLY) modify the content of HTML pages on my machine. Is this possible?
Motivation
I have used an HTTP Proxy called GlimmerBlocker for years. It started in 2008 as a proxy-based approach to blocking ads (as opposed to browser extensions or other OS X-specific hacks like InputManagers). But besides blocking ads, it also allows the user to inject their own CSS or JavaScript into the page. Development has seriously slowed, but it remains incredibly useful.
The only problem is that it doesn’t do HTTPS (from its FAQ):
Ads on https pages are not blocked
When Safari fetches an https page using a proxy, it doesn't really use the http protocol, but makes a tunneled tcp connection so Safari receives the encrypted bytes. The advantage is that any intermediate proxies can't modify or read the contents of the page, nor the URL. The disadvantage is, that GlimmerBlocker can't modify the content. Even if GlimmerBlocker tried to work as a middleman and decoded/encoded the content, it would have no means of telling Safari to trust it, nor to tell Safari if the websites certificate is valid, so Safari would think you have visited a dubious website.
Fortunately, most ad-providers are not going to switch to https as serving pages using https are much slower and would have a huge processing overhead on the ad-providers servers.
Back in 2008, maybe that last part was true…but not any more.
To be clear, I think the increasing use of SSL is a good thing. I just want to get back the control I had over the content after it arrives on my end.
Points of Confusion
While searching for a solution, I’ve become confused by some apparently contradictory points.
(Also, although I’m quite experienced with the languages of web pages, I’ve always had a difficult time grokking networks and protocols. On that note, sorry if I’m missing something that is way obvious!)
I found this StackOverflow question asking whether HTTPS proxies were possible. The best answer says that “TLS/SSL (The S in HTTPS) guarantees that there are no eavesdroppers between you and the server you are contacting, i.e. no proxies.” (The same answer then described a hack to pull it off, but I don’t understand the instructions. It was very theoretical, anyway.)
In OS X under Network Preferences ▶︎ Advanced… ▶︎ Proxies, there is clearly a setting for an HTTPS proxy. This seems to contradict the previous statement that TLS/SSL’s guarantee against eavesdropping implies the impossibility of proxies.
Other things of note
I can’t remember where, but I read that it is possible to set up an HTTPS proxy, but that it makes HTTPS pointless (by breaking the secure communication in the process). I don’t want this! Encryption is good. I don’t want to filter anyone else’s traffic; I just want something to customize the content after I’ve already received it.
GlimmerBlocker has a nice GUI interface, but I’m fine with non-GUI solutions, too. I may have a poor understanding of networking and protocols, but I’m perfectly comfortable on the command line, tweaking settings in text editors, and so on.
Is what I’m asking possible? Or is my question a case of “either you get security, or you can break it with hacks and get to customize your content—but not both”?
The common idea of a HTTP proxy is a server which accepts a CONNECT request which includes the target hostname and port and then just builds a tunnel to the target server. All the https is done inside the tunnel, so there is no way for the proxy to modify it (end-to-end security from browser to web server).
To modify the data you need to have a proxy which plays man-in-the-middle. In this case you have a https connection between the proxy and the web server and another https connection between the browser and the proxy. Between proxy and web server the original server certificate is used, while between browser and proxy a newly created certificate is used, which is signed by a CA specific to the proxy. Of course this CA must be imported as trusted into he browser, otherwise it would complain all the time about possible attacks.
Of course - all the verification of the original server certificate has to be done in the proxy now, and not all solutions do this the correct way. See also http://www.secureworks.com/cyber-threat-intelligence/threats/transitive-trust/
There are several proxy solution which might do this SSL interception, like squid, mitmproxy (python) or App::HTTP_Proxy_IMP (perl). The last two are specifically designed to let you modify the content with your own code, so these might be good places to start.
I have an existing client that is written in ActionScript that I want to completely replace.
Python and Twisted appear to be the ideal candidate. No changes to the server are allowed.
1..What are the possible stumbling blocks?
2..Is it probable that Twisted can be used to create a bit perfect network connection that would be the same as the current client?
The connection is authenticated and uses SSL.
This is too hard to answer without knowing everything about your current client. Try something, and if you have a problem, ask a separate question.
Yes. Twisted doesn't have any restrictions on what kind of network traffic it can create.
Twisted does support SSL out of the box.
It seems like you should be able to use telnet to manually make json-rpc calls. However, when I try this, I get no response at all from the server and have to shut down the telnet client. Do I need to send headers and/or somehow indicate that my input is complete?
You have a small problem: you've completely misunderstood everything!
https://en.bitcoin.it/wiki/API_reference_%28JSON-RPC%29
It says right there that it supports JSON-RPC over HTTP. Nothing at all about JSON-RPC over plain TCP (what you're calling "Telnet" protocol).
You say "It seems like you should be able to use telnet to manually make json-rpc calls" but you don't mention how you came to this conclusion.
JSON-RPC is typically implemeted over HTTP, but can be implemented over plain TCP, websockets, or any bi-directional internet protocol. That being said, the overwhelming majority of JSON-RPC server implementations expose their APIs via JSON-RPC over HTTP.
As others have mentioned, you can talk HTTP from a telnet client and the payload of that conversation can be JSON-RPC.... if you know how. Just because you can doesn't meant you should.
I have a project that will let you host a Json-Rpc server over telnet if you like. It doesn't come with telnet support built in, but it would be trivial to host it over telnet. See the console hosting example and just replace the console with a telnet server.
http://jsonrpc2.codeplex.com/
Ok so what I want to do is create a background agent that monitors http traffic to/from a certain application and performs actions when there are requests and responses to a certain website. Is there a good way to do this in Cocoa? I'd like to avoid using really low level sniffing and/or requiring root access to do this (admin access is ok).
If the application your trying to monitor supports proxy servers you could write one and use that in your app. That probably is the easiest solution.
If that doesn’t work you could use something like mach_inject and mach_override to overwrite some socket system calls (socket and write probably are enough) in the program you’re going to monitor. That’s some kind of dark art though, so you’re probably better off using a packet sniffer like tcpdump and control that using a pipe.
Admin privileges (which are almost the same as root) are required for all of this, except the proxy solution.
Here's tcpdump and it's library libpcap:
http://www.tcpdump.org/tcpdump_man.html
and
http://www.tcpdump.org/pcap3_man.html
There's a tutorial here:
http://www.tcpdump.org/pcap.htm
Like Sven said you'll need admin privileges to do anything spectacular.