1

So I'm always browsing the web through Privoxy using minimum these rules: 

vi /etc/privoxy/user.action

{ +redirect{s@http://@https://@} }
.chrome.google.com
.code.google.com
.docs.google.com
.encrypted.google.com
.googlecode.com
.googlelabs.com
.mail.google.com

# google calendar
{ +redirect{s@http://www.google.com/calendar/@https://www.google.com/calendar/@} }
.google.com

# google notebook
{ +redirect{s@http://www.google.com/notebook/@https://www.google.com/notebook/@} }
.google.com

This is working great, in short it ensures that if I visit e.x.: a Google Notebook page, it's always using encryption. So if I forget to type "HTTPS" and I type "HTTP" to a Google notebook URL it redirects me to the HTTPS version of Google Notebook.

But... a strange thing happened a few weeks ago several times: when I used the Privoxy I just couldn't reach Gmail.com, or Google Notebook, etc. If I configured Firefox to not use Privoxy I could reach Google Notebook pages, or Gmail, etc.

The error message when I used Privoxy was [from the webbrowser]: "connection timed out". [I tried to restart Privoxy, restart the machine, and I tried it on other machines with different OS, at different places/ISP's]

so the Q: Could that be that I was attacked or there were any problems with Google Notebook, Gmail over CLEANLY* HTTPS?

*CLEANLY means that CLEANLY over HTTPS [redirecting all http://mail.google.com requests to .

I'm using Privoxy because it could defend me from sslsniff like attacks [FIXME] -> so that HTTPS connections could get degraded to HTTP.

LanceBaynes
  • 6,209
  • 12
  • 60
  • 92

2 Answers2

11

I don't think this is the appropriate forum to ask for help debugging your privoxy rules; asking on the privoxy mailing lists might get you better answers. That said, I do have some advice for you:

My recommendation: I believe that there's a better way to achieve your goals. Instead of trying to write your own custom Privoxy rules, I recommend that you use HTTPS Everywhere.

By way of background, HTTPS Everywhere is a browser extension for Firefox. Whenever you visit a web site that supports HTTPS (and that HTTPS Everywhere is familiar with), the extension will redirect you to use the HTTPS version of the web site. Others have built up an extensive database that HTTPS Everywhere uses to get you HTTPS protection whereever possible, without breaking your web browsing experience.

Why use HTTPS Everywhere? Let me justify my recommendation of HTTPS Everywhere:

Community
  • 1
D.W.
  • 98,860
  • 33
  • 271
  • 588
2

Could that be that I was attacked or there were any problems with Google Notebook, Gmail over CLEANLY* HTTPS?

I don't think you've been attacked using "sslsniff" alike approaches. If, you would most probably haven't noticed it.

The "connection timed out" give a pretty good indication that there was either a slow network or a general network problem.

I am not aware about problems at the Google services you noted, but you have to remember that you don't just dial-in to Google itself... your connection hops several network connections. This means that it only takes one of the servers along the way to be out-of-order for a short time and you'll notice "connection timed out" messages.

Besides, such a message can point to attacks, but most of the time they don't.

I'm using Privoxy because it could defend me from sslsniff like attacks [FIXME] -> so that HTTPS connections could get degraded to HTTP.

You forgot about the fact that "sslsniff" uses MITM-alike (Man In The Middle) attacks, which works in a way that neither endpoint of the connection actually notices that the connection is degraded.

Since Privocy (being nothing more than a filtering proxy) runs on your local machine, it will only get the same information your machine generally gets... Privoxy has no way of detecting if the connection has been tampered with in most cases of "sslsniff attacks, since you - being one of the two endpoints - receive information that makes your computer thing the connection is still a secure HTTPS connection.

That is - what makes "sslsniff" such an often-discussed toolset. It shows that there are security problems that HTTPS actually shouldn't have.

my opinion

All in all, I think you've created a nice set of rules for Privoxy which help you to surf as you like. But I also think you are expecting a bit too much security from a non-caching filtering proxy you're running on your local machine.

Privoxy was never build to be a security tool to protect and secure HTTPS connections. Privoxy was and still is a filtering proxy which was initially made to filtered stuff like advertising... not something that will make sure your https connection is secure.

As a reminder, here's the description from the privoxy website itself:

Privoxy is a non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk.

My 2 cents: you can't expect such a tool to do a job it was never build for. Remember: we're talking network security here, not advertising banners and killing links to malware and phishing websites!

UPDATE

In fact, when talking about "sslsniff" or even "sslstrip" (which won't cause ssl errors when in effect), it's known that even tools like "HTTPS Everywhere" fail.

I saw someone answered that "HTTPS Everywhere" would be the perfect choice. And yes, it is indeed a "better choice than Privoxy". Note though that even "HTTPS Everywhere" won't protect you from every kind of HTTPS attack.

For details on "sslsniff", "sslstrip" and the "HTTPS Everywhere" limitations related to it, you might want to check Does HTTPS Everywhere defend me against sslsniff-like attacks?

But "HTTPS Everywhere" is definitely a better choice than relying on Privoxy.

Community
  • 1