×

Loading...
Ad by
  • 推荐 OXIO 加拿大高速网络,最低月费仅$40. 使用推荐码 RCR37MB 可获得一个月的免费服务
Ad by
  • 推荐 OXIO 加拿大高速网络,最低月费仅$40. 使用推荐码 RCR37MB 可获得一个月的免费服务

看在同胞的份儿上告诉你个前段时间发生的真实事件, 你自己核计着办: 我们单位某个人在网上赌马, 自从我们Block了网上赌博以后就用Proxy继续赌, 平时也没人管, 某日此人的头儿不知为何对此人心生不满, 要开除他, 但苦于没啥好理由, 就让我们查一下他的上网记录,

这下可有得瞧的了,一周之内好几百页的上网记录都指向同一个法国的Proxy IP,此人的头儿立马把记录交给HR, HR约见此人让他澄清他在法国那边有什么和工作有关的业务, 那可真叫有乐子了.......

具体结果我都没稀得问, 反正跟我没关系, 而且也太多了. 现在上网记录已经成为Manager手中最好的屠刀, 那可真是杀人不见血啊, 还让你哑巴吃黄莲...谁能说自己上网都是为工作, 有一点儿问题都可以放大, 至于你具体在网上的内容根本就不重要, 只要你去访问的IP说不清楚就够了, 你上班时间访问家里的IP很容易让人联想到你上班时间干私活的, 没事的时候都好说, 否则就是事儿, 自己想好了, 自己能承担后果就成.
Report

Replies, comments and Discussions:

  • 工作学习 / 学科技术讨论 / 公司block了除通过proxy之外的其他internet outgoing包.现在我家里有一台linux,把443转到linux的22上,然后使用putty设置好proxy,连到家里的443口,建立了ssh通道.现在可以使用这个通道访问家里的一些资源,甚至RDP家里的电脑.但是,这样安全吗?即使使用443建立通道,公司是不是
    也知道内容?还是只知道流量?
    • 只知道流量
      • 确定?使用443就一定使用SSL?因为即使https协议,也可以指定其他端口,所以是不是443也不一定被加密?
        • ssh是加密的。
          • 但是我要是不使用443,而是使用80建立ssh,有什么区别?
    • SSH is encrypted, so there is no way they know what you are doing. But they know the source/destination IP and they might know it's not typical HTTPS traffic.
      • 这个知道。只是网上介绍ssh建立tunnel时说最好使用443端口,而不是80,不知道为什么
        • The proxy server might handle the request differently when using different port.
          本文发表在 rolia.net 枫下论坛From the ssh server point of view, port 80 or port 443 make no difference.

          From the Proxy server, it is different. I don't really know how the proxy server work ( and there are different type of proxies, probably work differently) , My guess is

          if a client send a http request, the proxy server work as a bridge mode, it will send the request to remote web host on behalf the client, and send back the response to client, so the proxy has full knowledge with the traffic, it can filter/block forbidden request and log any request.

          Https is different, See: http://www.isaserver.org/tutorials/Understanding_SSL_bridging_and_tunneling_within_ISA.html

          ISA deals with an outbound request by processing any request hat is directed to ISA that points to either port 443 or has an Https affiliation.

          Most proxy server should work as tunnel mode, so client and remote server are directly talking to each other. it won't check the traffic content. So if you use port 80, the proxy server will want to analyze the request as http request and it will fail, so you won't be able to connect.

          I heard some proxy server can decrypt the ssl from client, then re-encrypt it and send it to remote web server, thus working as a middle man to inspect all the traffic, but this require the proxy server has a wildcast ssl certificate cover all domain, so it should be easy to find out. Also you won't be able to do ssh connection through this kind of proxy.更多精彩文章及讨论,请光临枫下论坛 rolia.net
        • One more thing, they won't know what you are doing with ssh, but it's possible they know you ssh to a remote host.
          the initialization part of ssh is not encrypted, so if there is a sniffer inspecting all the traffic, they will see you created a ssh connection, but they won't know what you are doing inside the ssh session. So still need to be careful if your company has really strict security policy.
          • 好像这个就是使用443和80去建立ssh通道的区别.只是我想知道在浏览器处理ssl页面时,是加密的,但是我把443转到家里的22时,在初始化时有可能我的路由器把它加密吗?
            • I don't think it's possible for router to do the job.
              If you don't want admin to find out you are going out of corporate network, A better solution is to setup a SSL-VPN server. This way the traffic is based on a ssl connection, so it's identical to a https access. I know there are some free Linux based ssl-vpn product.

              But most time I think your solution is safe enough Most companies are not that strict ( it will cause too much admin work), My company allow people to work from home, so many people have vpn access. I setup a Linux server in my home with VPN client configured, if I need to go out, I will just use my phone to start the vpn client, then it will get a corporate network ip, then I can ssh from office to my home linux machine, then I can go anywhere.
              • ssh应该比ssl vpn轻一些吧?我之所以使用ssh通道是因为家里有现成的WRT,不想搭新的。否则使用openvpn也是一个选择。不过还是觉得ssh轻些
                • 那是。ssh 是现成的. ssl-vpn还要安装配置。
    • 给你支一招:用HTTPS, 并安装Shell-in-box,即通过https使用SSH shell。少量登录,不过分就行。
    • 看在同胞的份儿上告诉你个前段时间发生的真实事件, 你自己核计着办: 我们单位某个人在网上赌马, 自从我们Block了网上赌博以后就用Proxy继续赌, 平时也没人管, 某日此人的头儿不知为何对此人心生不满, 要开除他, 但苦于没啥好理由, 就让我们查一下他的上网记录,
      这下可有得瞧的了,一周之内好几百页的上网记录都指向同一个法国的Proxy IP,此人的头儿立马把记录交给HR, HR约见此人让他澄清他在法国那边有什么和工作有关的业务, 那可真叫有乐子了.......

      具体结果我都没稀得问, 反正跟我没关系, 而且也太多了. 现在上网记录已经成为Manager手中最好的屠刀, 那可真是杀人不见血啊, 还让你哑巴吃黄莲...谁能说自己上网都是为工作, 有一点儿问题都可以放大, 至于你具体在网上的内容根本就不重要, 只要你去访问的IP说不清楚就够了, 你上班时间访问家里的IP很容易让人联想到你上班时间干私活的, 没事的时候都好说, 否则就是事儿, 自己想好了, 自己能承担后果就成.
      • 确实,谢谢。可是上班没事干总不能直接打瞌睡啊
        • 学专业技术, 学学历, 学...................