Discuss this help topic in SecureBlackbox Forum

The types of proxies supported in SecureBlackbox

SecureBlackbox supports several proxy types, namely SOCKS, HTTPS proxies (WebTunneling) and, for some kinds of connections, HTTP proxies.

SOCKS proxies use SOCKS protocol, described in RFC 1928 and RFC 1929.

WebTunneling (HTTPS Proxy) is a feature provided by some HTTP proxy servers. This feature is described in RFC 2817 as a CONNECT command. Using this command the server opens a transparent communication to remote host. The side-effect of this feature is that any data can be tunneled via HTTPS proxy server. HTTPS proxy was invented to ensure end-to-end security of the communication. With such proxy the client sends special request to the proxy with CONNECT verb. The proxy builds an opaque tunnel by connecting to the requested server using TCP and nothing else. After socket connection is established, HTTPS proxy sends 200 OK response to the client and starts forwarding data from the client to the server and back. Such design means that the client and the server are not limited to HTTPS traffic. In fact, any protocol can be tunneled using HTTPS proxy and CONNECT verb. End-to-end security is achieved by establishing secure channel between the client and the server after the proxy has connected to the server and confirmed the operation to the client.

With a regular HTTP proxy an HTTP client sends a request to an HTTP proxy and asks the proxy to retrieve the remote resource and forward the resource data to the client. The resource can be accessed using the protocol different from HTTP, i.e. if the HTTP proxy supports this, the client can pass FTP or other URL. This includes HTTPS resources as well. HTTP client sends a request using common HTTP verbs, such as GET, POST, HEAD etc. HTTP proxy accepts the request from the client, analyzes it and acts accordingly. If the remote resources needs to be retrieved (and can not be taken from the cache, for example), HTTP proxy establishes connection to the remote server and acts as a client for that remote server. The resource is downloaded and passed to the client. End-to-end security can not be achieved using just an HTTP connection. It is possible to ensure security by protecting the resource beforehand, but even when both the client and the proxy use HTTPS, the proxy has access to original data, not protected by HTTPS. Moreover, the unprotected data possibly stays in the cache of the proxy (if the proxy uses caching).

How To articles about socket-related questions

Discuss this help topic in SecureBlackbox Forum