Introduction
Many companies allow Internet access only when clients first connect through a proxy server. In this chapter we discuss proxy servers and explain how Google Talk can be configured to connect through them.
What Are Proxies?
What are proxies, and why do we need them? To figure that out, you first need to understand how communication occurs between computers on the Internet. For example, when connecting to a Web server such as
http://googletalk.blogspot.com, your Web browser will connect directly to the site, request the Web page, and display it on your screen. When the Web server wants to send information back to you, it does so directly to your computer, based on your computer’s IP address.
A proxy is a server that stands between you and another machine that you are communicating with. If you connect to blogspot.com through a proxy server, the proxy server accepts your request, connects to the target server, and retrieves the Web page for you. After retrieving all the data, it then sends a copy to your Web browser for you to view on your screen. When working through a proxy, you never make any direct connection to the server that is holding your data; instead, the proxy makes the connections for you, as shown in Figure 6.1.
Figure 6.1Communicating With a Proxy
Internet
` Client Computer
Proxy Server
Direct Connection Proxy Connection
Why Use Proxies?
So proxy servers allow us to send our data through another machine. Why is this so important, and why should we be interested in the prospect? Proxies have many uses, some legitimate and some not so legitimate. A proxy itself is a dumb server that simply relays information, but depending on who uses that proxy, it can be a tool used for good or evil.
Proxy servers are normally installed in many corporate network environ- ments as a means of monitoring traffic leaving the network.This proxy server is usually placed as the single point of egress. In layman’s terms, that means everyone exits through the same door instead of jumping out their office windows. Some corporate environments allow traffic to leave and go onto the Internet only if that traffic first passes through a designated proxy server, which then logs and monitors all that activity.To use Google Talk in such an environment, you must configure it to connect to Google’s servers through your corporate proxy, as shown in Figure 6.2.
Figure 6.2Communicating Through a Corporate Proxy
Internet
Proxy `
Google Talk Server
Proxy servers can also be used to camouflage your activity from network administrators on your network. Even if a network does not require the use of an internal proxy server, administrators can monitor the traffic through egress points to determine what activity is taking place within their networks.
If connections are seen from your computer’s IP address to Google’s Talk servers, it would be fairly obvious to your corporate IT administrators that you are using the Google Talk client.You can attempt to hide your actions by using a proxy server. If your network administrators then attempt to monitor the traffic, they will only see communications between your computer and the proxy server; all the connections from the proxy to Google will take place outside the network where they cannot be monitored.
Besides hiding your traffic, a proxy server can be used to allow you to access a server that has been blocked by a network administrator. Just as many enterprise networks block known “time-sink” Web sites, such as Orkut, MySpace, eBay, and Microsoft’s Support site, they can block access to known instant-messaging servers on the Internet. Many of these blocks are made using very simple rules, such as “Block all TCP connections to port 5222 on talk.google.com.” As many college students have already discovered, when their college doesn’t want to them to visit a popular site, proxies will let them regain their access to those forbidden places.
Notes from the Underground…
Using Proxies to Bypass Corporate Security
Although it is technically possible to use a proxy server to bypass company filters and monitors, doing so could be considered a breach of your com- pany’s acceptable-use policies. Nearly all network administrators want to be aware of all traffic entering and leaving their networks, and they don’t take lightly to users circumventing their monitoring or security systems. In other words, using a proxy could get you fired from your job. Caveat emptor, YMMV, and YOYOMF. In plain English, be careful when using proxies and seek you network administrator’s permission first.
Configuring Google Talk to Use Proxies
The Google Talk client allows you to easily configure communications through a proxy server via its configuration screens. From within the Google Talk client, click the link labeled Settings in the upper-right corner, to be shown the configuration window.To display the proxy settings, click
Connection from the list that appears on the left side, as shown in Figure 6.3.
Figure 6.3Configuring Proxy Settings in Google Talk
By default, Google Talk is configured to Detect proxy automatically, which means that Google Talk will attempt to pull proxy information from Internet Explorer. Most corporate networks that use a proxy server will have the server set up automatically within Internet Explorer. If so, then you won’t
name of the proxy server that you’ll be using, and Port is the numeric port number that the proxy server is accepting connections on. Each proxy server has its own self-defined port number, though it is usually something like 80, 1080, or 8080.You will also notice additional authentication fields in this screen that are not enabled by default. Most proxy servers in use do not require authentication, but some do. If you are connecting to a “closed” proxy, which does not accept anonymous connections, you will need to check the box labeled Proxy requires Authentication, and type the username and password in the fields provided.
Once you’ve filled out all the fields with correct information, press the OKbutton to close the configuration window and return to Google Talk.
You can then attempt to connect using the new settings by changing your status to Available, to force a login.
Onion Router Proxies
Onion router proxies are a unique innovation in the proxy world.Onion routing provides data anonymity through the Internet, which is quite useful if you’re attempting to use Google Talk from within an oppressive political regime.
Instead of a single proxy server relaying your data, onion routing takes advan- tage of a network of multiple proxy servers, as shown in Figure 6.4, through which data is randomly bounced around before it reaches the intended target.
It’s like walking to work every day and selecting a random route each time. If someone were attempting to track your whereabouts, it would be extremely difficult for them to do so if you randomly jumped down side streets and dived into manholes between your house and your workplace. Onion routers also encrypt all the traffic from your computer and throughout the proxy net- work. So, not only are you taking new routes to work every day, you’re also switching disguises to a random Battlestar Galactica character between each intersection.
There are numerous applications used for onion-routing networks, including JAP (http://anon.inf.tu-dresden.de/index_en.html), I2P
(www.i2p.net), and Tor (http://tor.eff.org).Tor is one of the most common and well-known onion networks; much of the technology that we’ll discuss here will be focused on it.
Figure 6.4Google Talking Through an Onion Routing Network
How Onion Routing Works
To take advantage of an onion routing network, you must first have client software installed that takes your network traffic and runs it through that net- work. For the duration of this chapter, we will use Tor for our examples.Tor can be downloaded from its homepage at http://tor.eff.org/download.html and is available in a variety of formats.The most common format is a bundle kit of Tor, Privoxy, and Vidalia, which we’ll discuss later.You can also down- load packages for both Mac OS X and Linux.
Onion routing takes packets from your computer and bounces them throughout the Onion Router (OR) network until they exist on the network and contact the remote host. For this sequence to proceed, your client must first build a circuit through the OR network. Each Tor client has a database of all available Tor servers on the network, and the client plans out a circuit
Onion Routing Network
` Client Computer Google Talk
Server
Encrypted Text Clear Text
share the same key. However, you never connect to each OR individually; the messages are passed along through the circuit that you’ve created. In the example shown in Figure 6.4, six separate ORs are used to create the circuit;
each one holds a unique encryption key, and each one only knows of the existence of the server before and after it in the circuit.The final portion of the circuit is designating an exit server,which is an OR that volunteers to pass data from within the OR network unencrypted to servers on the Internet.
Once this circuit has been created, all traffic from your computer will be routed through it for a small period of time, after which the circuit will be broken down and a new, random one will be created.
After the creation of the circuit, you are ready to send and receive data to servers on the Internet. When your client sends a packet of data out, the packet is transmitted in multiple layers of encryption: once for each OR it must pass through. For example, if the text “Hi, Bob!” is to be transmitted through the six ORs in Figure 6.4, the text would first be bound in six layers of encryption, like {{{{{{Hi, Bob!}}}}}}. As the packet leaves your com- puter, it is received by the first OR, which removes the first layer of encryp- tion. After skinning this layer off, it is unable to read the text because of the five other layers of encryption. So, it simply passes the data off to the next OR. Each OR then removes the outer layer of encryption until the packet is handed off to the exit server.This OR will remove the final layer of encryp- tion, revealing the raw packet contents, which it then forwards onto the Internet recipient (Google Talk’s server).
Once data is sent back from the Internet server to the Tor network, it is received by the exit server and encrypted.The exit server passes this
encrypted response back to the next OR in the chain. Each OR then encrypts the data using a key that only your client and that OR know.
Eventually, the response will be received by your computer, where you unwrap the six layers of encryption and process the data.
This layering of encryption is how onion routing receives its name; each onion router must peel off the outer layer of skin, like peeling an onion. We could go into more technical detail here, but I’m sure it’d make you cry, just as though you were peeling a real onion. If you’d like to read more on how onion routers operate, check out Tor’s design documentation at
http://tor.eff.org/doc/design-paper/tor-design.html.
Configuring Google Talk
to Use Onion Routing Proxies
Installing and using Tor with Google Talk is not very difficult.You must first download and install the Tor and Privoxy packages from http://tor.eff.org.
Currently, you can download a bundle package that includes Tor, Privoxy, and Vidalia.
Tor is the client that connects to the Tor network; Privoxy works hand in hand as a locally run proxy. Privoxy will route your local data out through Tor. Privoxy runs as a service on your computer, listening for network con- nection on TCP port 8118, by default. Any data transferred to your computer on port 8118 will be immediately redirected out through Tor. Vidalia is an intuitive graphical interface for interacting with the Tor client. It loads an onion icon into your system tray from which you can configure your entire Tor-related settings; it even allows you to use your computer as an onion router.
Tools & Traps…
DNS Leakage! Oh, My!
Using a standard Tor client to connect to the Internet does pose one inter- esting problem in your hunt for anonymity: It leaks DNS requests. As you might already know, every time you attempt to connect to a domain name on the Internet, such as talk.google.com, your computer asks its designated DNS server for the actual IP address, because connections are allowed only through an IP address. Using a standard Tor server can help
Simply download the Tor, Privoxy, and Vidalia bundle from Tor’s Web site and run the executable to begin installing the software. Step through the pro- cess, choosing a Full Install, to install each piece onto your computer.
To use the installed functionality, simply configure Google Talk to use Tor by default. Open your Google Talk client and open Settings, as shown earlier in this chapter. Click Connectionsto show your proxy settings, as shown in Figure 6.3. Input 127.0.0.1into the host field and 8118into the port field.
Then simply click OK and sign into the Google Talk service. From your per- spective, it will appear that little has changed. However, if you have the tools (such as WireShark, from www.wireshark.org) to monitor your network traffic, you will see all the traffic being sent to a Tor server instead of Google Talk’s server.
Using an SSH Tunnel
Another form of creating a proxy connection is through an SSH tunnel, in which you create a Secure Shell (SSH) connection from your computer to another machine outside your network.Your Google Talk traffic can then be routed through this tunnel outside your network and into the wild, free world of the Internet. SSH allows for encrypted data to be directly transmitted between two computers, though it’s normally used for controlling a remote Linux or UNIX server.To take advantage of SSH tunneling, you must have an SSH server somewhere on the Internet, usually in the of a Linux server.
You will also need an SSH client installed on your computer. Linux and Mac OS X users already have a great client built in, for free. Windows users will have to obtain their own SSH client; we highly recommend Putty, a free, open-source application that can be obtained from www.putty.nl.
Tools & Traps…
Buying a Ticket for an SSH Tunnel
Not everyone has their own Linux or UNIX servers in their homes, although they should. So, luckily there are a large number of publicly available ones on the Internet. These servers sell SSH access to purchased accounts, known as “shell accounts”. While there are some free shell ser- vices out there, most require some form of regular payment. One of the greatest lists of free shell accounts can be found at www.ductape.net/~mitja/freeunix.shtml. There are also sites that list commercial shell accounts, such as www.shellsearch.com.
Creating an SSH Tunnel in Windows
We’ll use Putty to demonstrate how to create a tunnel within Windows.
Putty will build an encrypted SSH tunnel between your machine and the remote SSH server.The data will be decrypted at the SSH server and passed on to Google Talk.The process is reversed for return data. Note that anyone with a computer between the remote SSH server and the Google Talk server can snoop on your session.
Installing Putty is easy. Simply download Putty and run the executable;
there is no installation process.The main window might seem cluttered, as shown in Figure 6.5, but the default window shows the session configuration screen, where you will enter the information about the remote SSH server.
Figure 6.5Creating an SSH Tunnel With Putty
Before we make a connection to the SSH server, we need to configure port forwarding within Putty, which allows it to listen for data and relay it to your SSH server. Simply browse through the left explorer bar to Connection
| SSH | Tunnels, as shown in Figure 6.6. At the bottom of this screen are two fields labeled Source port and Destination.The source port is the TCP port that you want Putty to listen on for your Google Talk client.The desti- nation is the name of Google Talk’s server, with its associated port number.
Simply input the source port as 5223 and the destination as
talk.google.com:5223, then press the Add button to store the data. If the data was entered correctly, you should see the text L5223
talk.google.com:5223 appear within the Forwarded ports field.
With these values entered, click the Open button to begin the connec- tion. Log into the SSH server, when prompted, with your assigned username and password. Once you’ve logged in and received a command shell, you’re all done. Now just open Google Talk and configure it to use a proxy host of localhost and a port of “5223, using the steps we went over earlier in this chapter. Sign into Google Talk, and now all your Talk traffic will look like a normal, encrypted SSH stream.
Figure 6.6Creating an SSH Tunnel With Putty
Creating an SSH Tunnel in Linux and OS X
Configuring an SSH tunnel from within Linux and Macintosh OS X is a bit simpler to do, especially if you’re used to working on the command line.
Instead of sifting through numerous screens and text boxes, merely open a terminal window and type the following:
$ ssh -L 5223:talk.google.com:5223 –N <username>@<hostname>
Simply provide your SSH username as username, the name or IP address of the SSH server as hostname.Once you’re connected, the -Nswitch tells SSH not to start the command shell, so the window will just freeze.This is normal behavior; Putty is simply waiting for data to come across its connection. Now
Summary
Many corporate networks implement proxy servers to route all egress net- work traffic through a centralized server, called a proxy server.This server handles all connections to the Internet, and also logs all transactions for later review. A proxy is simply a server that relays your Internet traffic to its desti- nation, without having your client connect directly to the destination.
However, not only can proxies be used for internal monitoring, but also to allow your users to hide their network traffic on your network. Instead of users connecting directly to Google, they would be connecting to a nonde- script proxy server on the Internet, making it more difficult for you as the network administrator to track their activities.They can also allow you to bypass blocks placed against certain domain names and IP addresses.
Configuring Google Talk to use a proxy is performed very simply using the steps outlined in this chapter. Enter the configuration settings for Google Talk and view the connection settings. From here, specify that you wish to use a particular proxy and type in the address of the proxy and the port that it listens on.
While proxies can be used simply to slide traffic past network blocks, they can also be used to encrypt your traffic and randomly bounce it around the world before delivering it to your destination.This practice falls under the practice of onion routing, using famous programs such as Tor.To implement Tor for Google Talk, you simply need to download and install the
Tor/Vidalia/Privoxy package described in this chapter and configure Google Talk to route traffic through your Privoxy application.The data will then be encrypted several times over and sent out through a chain of Tor proxy servers, many of which don’t know where you’re coming from or where you’re going to.
You can also send traffic out of your network by creating an encrypted SSH tunnel between your computer and another on the Internet.To do so, you just need an account on a remote Linux/UNIX server running SSH, and a local SSH client, such as Putty.The tunnel is created by connecting to the remote server through your client, and then directing Google Talk to send its traffic through this tunnel. It is a quick and efficient way to encrypt your data and bypass network blocks.