socks5 support

Dan Kaminsky dan at doxpara.com
Sat May 11 19:35:32 EST 2002


> Good luck, I sent in a patch for socks5 support back in October of last
> year and got blown out of the water by the "developers".

Ack.  My fault.  I don't think I ever made the point sufficiently clear as
to why SOCKS4, despite its ridiculous usefulness, is insufficient for a
number of security critical applications.

Let me be blunt:  SOCKS4 DYNAMIC FORWARDS AREN'T SECURE ENOUGH.

Given a SOCKS4 dynamic forward from Alice's network to Bob's, the DNS server
on Alice's network is able to monitor tunnel destinations into Bob's
network, and may even redirect those tunnels to arbitrary locations.  This
doesn't happen with SOCKS5 *or* HTTP -- DNS is handled remotely, just like
in SSH Local Port Forwards.  This issue isn't horrific enough to remove
SOCKS4 support entirely, because it's only a problem when communicating from
actively hostile networks -- but if we've got the SOCKS5 support sitting in
front of us, not only are we supporting a greater range of applications, but
we're not exposing users to a genuine security concern.

Why HTTP as well?  Because I know we've got that code too, and it allows us
to say we've got a trivial API for SSH port forwards.  SOCKS is only trivial
once you learn it :-)

As for SOCKS4A -- I'm inordinately pleased to have the code, but I just
don't know what supports it on the client side.

--Dan





More information about the openssh-unix-dev mailing list