|
Posted by Sander Smith on February 8, 2005, 7:43 am
If you were Registered and logged in, you could reply and use other advanced thread options
There are many applications out there now (LogMeIn, I'm InTouch, etc.) to
give you remote access to your computer/files and claim to be secure. My
question is how do the security features on these things work?
The way these systems work in general is pretty straight forward. You run
their agent on your computer at home and it sits and waits for
connections. Then, you can connect to your computer remotely to either
remotely control it or just grab files off of it. You do this through a
browser that is connected to a gateway that they run, and it somehow
connects to your computer and allows access to your files.
Now the obvious way to set up security in such a situation is to set up
an SSL link between the browser and the gateway, and then another SSL
link between the gateway and my computer. Note that the SSL certificate
on the gateway that the browser sees must be signed by a well known CA,
but the other certificate can be private since the company that creates
this service owns both ends of the link. The problem with this system is
my personal data is in the clear at their gateway where their employees
can see it. Hence it is not secure at all.
So how can they do this more securely? Here's what I know:
1) These companies claim to give end-to-end security so that their
gateway cannot read your data.
2) The certificate that you see at the browser end belongs to the
gateway.
3) You do not have to open up a port on the firewall at your computer's
end. Obviously, they are doing port forwarding from your computer to
their gateway.
It seems that with what they want to do, they could just open up an SSL
tunnel through their gateway to your computer. However, that would
require opening up a firewall port. It would also mean that the
certificate that is viewable on the browser came from your computer and
not the gateway.
So does anyone have any idea what can be going on. I've seen this
situation described as a "Reverse HTTPS Tunnel" but can't seem to find
any references to it. Any ideas?
|
| Similar Threads | Posted | | Free HTTPS tunnel: Calling for beta testers | December 3, 2005, 4:57 pm |
| Reverse DNS | May 1, 2005, 7:42 pm |
| Web Application Firewalls / Reverse Proxies? | January 30, 2007, 4:20 am |
| Commercial Web Application Firewalls or Reverse Proxies? | October 22, 2005, 8:06 pm |
| Firewall / Reverse Proxy Config Questions. | March 16, 2006, 9:26 pm |
| Problem with HTTPS through PIX for OWA | November 21, 2006, 6:46 pm |
| Kerio, https, icq,.. NAT problem | January 28, 2005, 12:05 pm |
| Netscreen admin can't use HTTPS? | February 27, 2005, 5:31 am |
| https inbound policy NS-25? | June 5, 2008, 12:43 am |
| Access with HTTPS to a HTTP server | July 30, 2004, 2:45 pm |
|
XML site map