NLUUG E-Zine: On ProxyTunnelApr 05, 2002, 05:00 (4 Talkback[s])
[ Thanks to Muppet for this link. ]
"When I first plunged into the internals of HTTPS proxies, the idea on how to abuse these for unlimited Internet access immediately came to me. It dawned on me that, in essence, an HTTPS web proxy is a sort of tunnel into the Internet for everyone who is willing to speak the HTTP's protocol CONNECT command. And since all the traffic that passed through the tunnel is supposed to be SSL encrypted (so as to form an unhindered SSL session between the browser and the HTTPS server), there are little or no access controls possible on such a tunnel. I filed these ideas under the section 'Interesting; must do something with this later'...
"When 'later' came, it turned out that the realisation described above could have very interesting security repercussions..."