[OmniOS-discuss] SSH over HTTPS

Saso Kiselkov skiselkov.ml at gmail.com
Tue Dec 17 14:29:53 UTC 2013


On 12/17/13, 2:14 PM, John D Groenveld wrote:
> In message <52B03A8D.8090309 at gmail.com>, Saso Kiselkov writes:
>> Minor side-note, unless the proxy is trying to brutally MITM the session
>> (forged certificates and all), then there's absolutely no way for it to
>> know if a particular TLS session is carrying HTTPS traffic or something
>> else (short of doing some kind of statistical analysis of the traffic
>> flow, that is).
> 
> I believe Palo Alto Network's product combines statefull firewall and
> application proxy inspection.
> <URL:https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/tech-briefs/paloaltonetworks-vs-proxy.pdf>

Which does it exactly by utilizing statistical analysis, as I mentioned.
That having been said, it's trivial to break through that by simply
encapsulating your SSH traffic using HTTP tunneling software. Then, for
all intents and purposes, your traffic looks like regular HTTPS (because
it is). Of course they may choose to filter anything that exchanges
small HTTP requests too aggressively, but that would probably break a
fair number of AJAX-based web apps such as GMail (which can be rather
chatty over the line, frequently exchanging tiny XML blobs as you type
messages, etc.).

Cheers,
-- 
Saso


More information about the OmniOS-discuss mailing list