MASQUE sounds like an other backronym. :-) 14:14 unless you fail to do proper validation, see: Defeating Ssl Using Sslstrip (Marlinspike Blackhat) / More Tricks for Defeating SSL (Defcon 17). 25:25 I think QUC can only fall back to TCP as regular HTTP/1 or HTTP/2
If u can make a video on Nodejs Libuv library. I thinks it is also important topic to cover. I have seen other video but didn't understand it. U explain it very nicely with real life example. Love ur work. 👍
@@hnasr I work on backend, but don’t have the knowledge of computer networks and struggle with it, it would be really helpful if you could make a similar kind of “learning path” video for computer networks.
If there was a http request on my tunnelling server from the source, is there any way I can add a custom HTTP header while passing the request to the destination?
5:40 I am not sure the source port of the second segment would be as mentioned in the video (ie. 8080). Because if it is so, there wouldn't be a way for the proxy to distinguish traffic belonging to 2 clients (or 1 client with 2 browsers/tabs for that matter) and same destination.
That is correct, the source port is always going to be random and unique per client. I only picked 8080 to show an example, but it does confuse the story.
But what if proxy establish tunneling with you instead of target server? It can fake that you're connecting to target server by reading your payload and sending it to the target server and response back to you. Kinda same as it was in simple Proxy but with tunneling between you and proxy. Am I wrong? What can prevent this situation?
An evil proxy can of course try to that but it will be caught immediately in the TLS server hello when it presents the its own certificate (not the target server cert)
Thanks for your explanation, what is the difference between http proxy with connect method and layer 4 proxy? If ı want to establish an end-to-end secure connection with the target, can't ı do that with layer 4 proxy as well? Any help will be appreciated.
There wasn't a way to tunnel UDP data with HTTP since it wasn't required, people were using SOCKS protocol for that. MASQUE with QUIC the new protocol supports tunneling udp
So I am studying this concept because I want my less powerful AWS machine to HTTP tunnel with my local PC (which will have ML models). Is this possible and useful or have I misunderstood the concept. Thanks.
yes there is now, the new “extended connect” can connect over a single stream (as opposed to the whole connection) more here , the server has to support it though www.rfc-editor.org/rfc/rfc7540#section-8.3
hmm socks is Secured Over Credential-based Kerberos that's mean i'm wrong , cause socks is just a proxy with credentials so u can't access it without credentials
@@MecegguemMohamed Below is what Wikipedia says :-) "SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 _optionally_ provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded." And no SOCKS and HTTP Connect are not directly related. SOCKS with at the TCP level, you connect with a lower level protocol like TCP to a SOCKS proxy and for HTTP Connect you use HTTP.
MASQUE sounds like an other backronym. :-)
14:14 unless you fail to do proper validation, see: Defeating Ssl Using Sslstrip (Marlinspike Blackhat) / More Tricks for Defeating SSL (Defcon 17).
25:25 I think QUC can only fall back to TCP as regular HTTP/1 or HTTP/2
HUSSEIN YOU'RE A BEAST. T
If u can make a video on Nodejs Libuv library. I thinks it is also important topic to cover. I have seen other video but didn't understand it. U explain it very nicely with real life example.
Love ur work. 👍
very helpful... excellent!
Thank you for this video! Finally understood why College/University HTTP Proxies do not allow ports 21, 22, 25 and only open 80 & 443
Thank you! Excellent explanation of core concepts!
Knowledge is power and you're superhero, boss! 💯♥️
Respect++
❤️❤️
Can you make a video on "how to get started with computer networks for backend engineers". Better yet if you can make a course on it 😀.
Interesting idea , I made a starter video to discuss the idea which is possible ruclips.net/video/A20hvCH6Drs/видео.html
@@hnasr I work on backend, but don’t have the knowledge of computer networks and struggle with it, it would be really helpful if you could make a similar kind of “learning path” video for computer networks.
The video sound is pretty good, beyond my imagination
A protocol that can be used for tunneling that leverages UDP is DTLS
Does Nginx uses CONNECT to stream traffic to the backend servers when it's used as a layer 4 reverse proxy ?
You a hero bro
could it be used as a firewall evasion technique?
If there was a http request on my tunnelling server from the source, is there any way I can add a custom HTTP header while passing the request to the destination?
You make every concept easy! Thank you!
5:40 I am not sure the source port of the second segment would be as mentioned in the video (ie. 8080). Because if it is so, there wouldn't be a way for the proxy to distinguish traffic belonging to 2 clients (or 1 client with 2 browsers/tabs for that matter) and same destination.
That is correct, the source port is always going to be random and unique per client. I only picked 8080 to show an example, but it does confuse the story.
You KNOW EVERYTHING!!!!!!
great video! thanks a lot
thanks. so there are always 2x independent TCP connections if there is 1 Proxy in the middle, right?
But what if proxy establish tunneling with you instead of target server? It can fake that you're connecting to target server by reading your payload and sending it to the target server and response back to you. Kinda same as it was in simple Proxy but with tunneling between you and proxy. Am I wrong? What can prevent this situation?
An evil proxy can of course try to that but it will be caught immediately in the TLS server hello when it presents the its own certificate (not the target server cert)
Thanks for your explanation, what is the difference between http proxy with connect method and layer 4 proxy? If ı want to establish an end-to-end secure connection with the target, can't ı do that with layer 4 proxy as well? Any help will be appreciated.
in HTTP proxy, how client request knows that it should go to the proxy first?
A normal app server should never accept CONNECT method then?
Thanks for your content, Q for you: I am not clear why UDP is not supported on HTTP CONNECT. How do we tunnel UDP data then?
There wasn't a way to tunnel UDP data with HTTP since it wasn't required, people were using SOCKS protocol for that. MASQUE with QUIC the new protocol supports tunneling udp
hi hussein is that possible an http and icmp tunneling work together to perform network diagnostics? and how?
So I am studying this concept because I want my less powerful AWS machine to HTTP tunnel with my local PC (which will have ML models). Is this possible and useful or have I misunderstood the concept. Thanks.
"There is no HTTP/2 CONNECT method" - chatgpt claims there is... or maybe now there is.
yes there is now, the new “extended connect” can connect over a single stream (as opposed to the whole connection) more here , the server has to support it though
www.rfc-editor.org/rfc/rfc7540#section-8.3
is http connect mean socks5 protocol ?
hmm socks is Secured Over Credential-based Kerberos that's mean i'm wrong , cause socks is just a proxy with credentials so u can't access it without credentials
@@MecegguemMohamed Below is what Wikipedia says :-)
"SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 _optionally_ provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded."
And no SOCKS and HTTP Connect are not directly related. SOCKS with at the TCP level, you connect with a lower level protocol like TCP to a SOCKS proxy and for HTTP Connect you use HTTP.
Man, too much WORDS!
This sucks