HTTPort newsletter
HTTPort newsletter
Hosted by SSI Micro
To post a message, register first.
Contents:
"HTTPort/HTTHost speed (again)" by Targeted �
"HTTPort 3.SNFM and HTTHost 1.8.0" by Targeted �
"Running HTTHost under Unix" by Targeted �
"HTTPort 3.SNF2 and SDK 1.3.19" by Targeted �
"HTTHost 1.7.1 and SDK 1.3.18" by Targeted �
"HTTPort 3.SNF1" by Targeted �
"Personal HTTHost Installation /1" by Targeted �
"Personal HTTHost Installation /2" by Targeted �
"Tunneling mIRC with HTTPort" by crano �
"Installing HTTHost as a service" by Arjen �
"HTTHost 1.7.0 Personal Edition" by Targeted �
"WinMX woes" by Targeted �
"HTTPort 3.SNF" by Targeted �
"HTTPort 3.SN2" by Targeted �
"HTTPort 3.SN1" by Targeted �
"Building VPN with H software" by Targeted �
"SLOW ? DISCONNECTS ? WHY ?" by Targeted �
"HTTPort 3.SN" by Targeted �
"Encryption in HTTPort 3" by Targeted �
"HTTPort 3.S1" by Targeted �
"HTTPort 3 and FTP problems" by Targeted �
"HTTPort version 3.S" by Targeted �
HTTPort/HTTHost speed (again) (09-Dec-04) by Targeted
The main design decision which basically made HTTPort what it is was the wish to keep it invisible and indistinguishable from the "normal" HTTP traffic generated by a "normal" user agent (browser). Therefore, HTTPort talks to HTTHost with a sequence of independent HTTP GET requests, each having a short lifetime and returning very limited amount of data.
Therefore HTTPort and HTTHost talk via a sequence of regular HTTP GET requests. A request is always initiated by the client. Each request contains protocol data and possibly (with 'send' protocol command) some tunneled data flowing from the client to the server. Each response in turn contains protocol data and possibly (when responding to 'recv' protocol command) some tunneled data flowing from the server to the client. One thing to note here - no matter if HTTHost server has data to be sent to the client, it still has to wait until a 'recv' request arrives from the HTTPort. This is known as polling and is also an important architectural decision.
Now, network "speed" is a sum of two things - throughput and latency.
Note however that there are parts that will always be there and can't be avoided. These are delays imposed by the proxy, and by the network. No matter what you do, those two are always there and add significantly. I will be using N for the average number of requests per second the proxy being tunneled can get through from any given client to any given server. I'd say this is normally well under 10. Evenly significant is the fact that HTTPort/HTTHost exist to tunnel traffic to some 3rd server, and it's speed and availability are of utter importance too.
So, THROUGHPUT:
There is one thing that significantly cripples _sending_ throughput capability. Remember that client tunneled data is sent embedded within an HTTP GET request. But HTTP GET request is sort of limited with places where such auxiliary information can be inserted. HTTPort can use two places for data insertion - one (default) optimistic and one (if optimistic fails) pessimistic.
* Optimistic: embed data as a separate request field. Example - if the client sends tunneled plaintext SMTP data "HELO myname", this data is base64 encoded (which gives "SEVMTyBteW5h") and added to the request like this:
GET /protocol-specific-url(field=Qwerty) HTTP/1.1
Host: htthost.server
Qwerty: SEVMTyBteW5h
where Qwerty is a random field name. This is a valid and working approach, but it's still limited in that you can't make request header fields arbitrary large, or proxies would start to deny it. For instance, Squid had a default limit of 10K for request header last time I checked. In HTTPort the maximum length of data to be sent from client to the server within a single request field is controlled with MAX_HTTP_SEND_QUOTA constant which is 2048 by default. This means that no matter what you do, speed of sending client data to the server won't exceed 2K * N / sec
* Pessimistic: an HTTP proxy (Squid is a fine example) can be configured so that it accepts only requests with known fields, or removes unknown fields. In Squid config this option is called "paranoid". In the above example the proxy would have removed the Qwerty header field thus making it impossible to send data. HTTPort detects such an unfortunate case and switches to another mode of sending, where the data is embedded in the URL itself, like this:
GET /protocol-specific-url(data=SEVMTyBteW5h) HTTP/1.1
Host: htthost.server
As you might guess, the URL is also limited in size by most proxies and this limit is even more severe. In HTTPort the amount of data to send within URL per request is not compiled in, but set at runtime instead. This is what DataOverride option in the ini file is for, it contains that number of bytes to be sent within a URL. You can increase this parameter but hardly above 1024. Even in this case, the absolute top speed for sending data would be 1K * N /sec.
There is one more constant left which controls throughput and this time it's server-to-client transfers. The AVG_HTTP_RECV_QUOTA compiled in HTTHost controls the average number of bytes that is encoded within a single response to 'recv' request, it equals 32K by default, therefore HTTPort can't fetch more than 32K per request. Given that the data is transferred in BASE64 encoded form, this makes about 22 * N K/sec top download throughput.
Then, LATENCY:
To lower latency you basically need to decrease all the timeouts there are, but then there's something to bite you in return. For example if you remove all the timeouts, HTTPort starts sending requests to HTTHost like crazy, overloading proxy and network. Who cares if it's for purpose, ex. you are up to something important and it really matters. But consider there's no data to send in either direction (the tunnel is idle). As HTTPort uses polling it still needs to send an HTTP request to HTTHost just to make sure there's (no) data to be received. And as you have removed all the timeouts, this polling will be seen by the proxy as a constant endless stream of HTTP requests, which eats a lot of bandwidth, hence $$. Also pretty suspicious to the admin, while HTTPort was designed as an invisible tool.
There also are protocol timeouts are controlled exclusively by the HTTHost. Each time a request arrives from HTTPort, HTTHost processes it and returns a response. The response contains a number of seconds this HTTPort has to wait before issuing next request. The actual number returned depends on whether there is more data for the client to fetch or not. If there is, MIN_DELAY is returned, if there was, but it's all fetched with current request, MID_DELAY, and if there is totally no data, MAX_DELAY. This setting is controlled in HTTHost on the Options page using Timeouts dropdown field.
Up
HTTPort 3.SNFM and HTTHost 1.8.0 (15-Jan-04) by Targeted
As of January 14, 2004, the new versions of both HTTPort and HTTHost are released. Leaving detailed description of changes to the changelog, I will focus on the main change:
HTTPort and HTTHost talk using their own protocol. The messages of that protocol have to go through the proxy and they are therefore hidden inside valid HTTP GET requests/responses. The way those requests are encoded hasn't changed since version 3.SN2, which is over 2 years back already. This encoding is pretty good actually, it's random and has no patterns in the URL, but the responses are sort of simplistic (fake HTML pages), but who cares since it works. How many proxies out there will go for on-the-fly HTML analysis ?
Now, there goes the change - I have moved all the requests/responses encoding code to the external DLL, which is available with sources. So, if you want to turn your HTTPort traffic into anything HTTP-based, go right ahead, modify the code, build the DLL, copy it to both your HTTPort and HTTHost and away you go. And yes, you have to run your own HTTHost to modify the encoding DLL.
For the same reason, support for custom user-defined "User-Agent" request header field has been added. To specify your own user agent, set "User-Agent" dropdown to "None/Custom", then close HTTPort and edit httport.ini, specifically it's CustomUserAgent=... entry.
For the same reason, support for any other user-defined request header fields has been added. To specify your own fields, edit file httport.hdr.
Up
Running HTTHost under Unix (08-Jan-04) by Targeted
As mentioned on the main site, after recent happy move to FreeBSD, Technology Networks now runs HTTHosts (native Win32 apps) under Win32 binary emulator Wine http://www.winehq.com/
I don't know any details on how it's done, but as far as I know it wasn't difficult at all - install, copy HTTHost, copy all required DLLs and off it goes. I hope Mike posts a detailed article here soon. For now I'd suggest that you simply try running it under Wine following the standard Wine procedures.
Up
HTTPort 3.SNF2 and SDK 1.3.19 (01-Sep-03) by Targeted
Version 3.SNF1 of HTTPort introduced a bug. That version started to exclusively use WinInet for handling HTTP requests. The WinInet module appeared to silently assume that HTTHost always runs on port 80 - the HTTHost port number was not passed properly. All worked fine except for when HTTHost runs on different port - in which case it didn't work at all. Same problem was true for SDK 1.3.16+ I believe.
Now, version 3.SNF2 (1.3.19 for SDK) fixes the problem, and HTTHosts can be run on any port.
Up
HTTHost 1.7.1 and SDK 1.3.18 (03-Jun-03) by Targeted
The server component for HTTPort (HTTHost) is updated, it's version 1.7.1 now. No bugfixes, just a default behaviour change.
In case the target server (the one being tunneled to) is too slow (slower than top HTTPort upload speed, which is 2KBytes times HTTPort-HTTHost requests per second), HTTPort keeps sending data to HTTHost, the local buffer gets full and HTTHost drops the connection. This was the by design behaviour to begin with, but I've long forgotten this and got furious when it hit. So I've done two things - (1) increased the size of the local per-connection buffer (see "Options" tab), which is sort of a stupid and (2) fixed HTTHost to activate maximum timeout whenever data HTTPort arrives and the buffer is not empty. This will delay the next send attempt by at least 2 seconds, thus giving the slow peer time to pick up it's data.
Changes in the SDK reflect both. HTTPort.DLL only has the "Last FTP send" bug fixed (it was using WinInet only since long ago). SDK HTTHost changed in exactly the above described ways.
That's it. Thanks !
Up
HTTPort 3.SNF1 (28-May-03) by Targeted
HTTPort 3.SNF1 is released almost a year after the previous 3.SNF. Again, I have nearly no time to spare on this project.
So, what's changed ?
1. I fixed (I think I did :) the infamous "no config save on system shutdown". Guess what ? Delphi didn't call "FormDestroy" event when the application was hidden. I use old Delphi 5, so this may be the problem, but still. Moved the cleanup code to "FormClose" event handler instead.
2. What's bugged me even more is the worse "last FTP send" bug. When uploading small files with FTP, the last bytes have been lost sometimes, the file was thus truncated. The problem turned out to be that when the connection was closed on the client side, the mapping thread saw an error and discarded all the queued HTTP requests on the connection, even if there was a pending send. Stupid bug but fix wasn't obvious. Had to fix the queue so that the requests can be ordered, and another thread won't pick a disconnect request before a pending send is complete.
3. Removed everything Ad/Banner related. You can see this by changes in eula.txt and the httport.sup file absence. The setup file has shrunk by ~200K which is good too. Banners never actually worked in the field, which is strange, especially given the amount of work it required to build. BUT ! :) I have included a clickable "Send a Gift" URL which points to the same wishlist the HTTHost's URL does.
4. All the requests are now made with WinInet engine. Native low level GETs code is totally removed. The UseWinInet setting has vanished from httport.ini.
So, please try the new version and see if it's any better. Thanks.
Up
Personal HTTHost Installation /1 (16-Apr-03) by Targeted
Here is the step by step instructions on how to install personal HTTHost. It would certainly be great if I could write such an instructions for people with no networking knowledge. Unfortunately, I just can't. I have to use proper terminology and assume you know some basic facts. What I suggest you do if you don't, is find a friend who does. Asking someone who knows is by far the best way of installing software. So, please have your guru friend handy at all times.
If at some point you say "pfff... I don't need that as I know better than that guy", sure go right ahead. It's YOUR problem after all.
Having said all that, let's begin.
For any computer X, let IP(X) be an IP address of that computer. To determine IP(X) locally (while sitting behind X), use ipconfig.exe or winipfg.exe utilities (simply launch them from command line and check the output).
c:> ipconfig.exe
c:> winipcfg.exe
For any computer X, let DN(X) be a Domain Name of that computer (ex. www.yahoo.com or irc.somenet.com). Not all X's have DN(X), but some of them do. DN(X) can be resolved into IP(X) using nslookup utility. Run it from command line like
c:> nslookup DN(X)
and you get IP(X)
For any computer X, let A(X) be an Administrator of that computer, that is, a real person who is responsible for it and/or owns it.
Let BP be a computer Behind a Proxy. It's probably YOUR PC, it's blocked behind a proxy/firewall and you are totally not happy with it.
Let P be a Proxy. Finding P can be trickier. See HTTPort help on finding P (use [?] button on proxy fields and read through).
Step 1. Find a computer outside a proxy (OP) running Windows 98/NT/2K/XP. I can see three possibilities - OP can be run (1) at your home on some sort of cable or DSL OR (2) same but at your friend's home OR (3) at some company run by a friend of yours in a rack, connected with permanent lease line. Note: OP connected with a telephone line modem is nearly out of question. I wouldn't even try.
Check if you are still here with the cases above:
(1) A(OP) = you
(2) A(OP) = your friend
(3) A(OP) = some long haired guy
In all cases, two people will help you if you are stuck - A(OP) and some other guru friend.
The worst case would be (1), where A(OP) are yourself. I will discuss that case separately below. I suggest that you still read the steps through.
Step 2. Ask A(OP) for IP(OP). If IP(OP) is one of the following: 192.168.x.x, 10.x.x.x, 172.16.x.x, then it's a no go, the server doesn't have an external IP address. It means OP is itself blocked with not just a firewall, but NAT which is worse. There are ways around NAT, like port redirection, but it's way too heavy to discuss here. Ask again or go to step 100.
Step 3. Ask A(OP) if IP(OP) is a static or dynamic. Static means that it's been assigned once and doesn't change in time. Dynamic means that it's being allocated periodically (most often - whenever OP is starting) and can change from time to time. Dynamic addresses typically get allocated with DHCP (Dynamic Host Configuration Protocol). If it's static go to Step 5.
Step 4. Something about OP must be static. It's not IP, then it must be DN. Ask A(OP) for DN(OP). If there is none, go to step 100.
Step 5. Ask A(OP) if OP is behind a firewall or not. If not, go to step 7, otherwise ask A(OP) if any unused TCP port is open on the firewal for incoming connections. If not, ask A(OP) if it's possible to open one. If not, go to step 100. Ask for the number of the port.
Step 6. Now we have at least one open incoming TCP port N. Write IP(OP) or DN(OP) and N down. Next thing to do is to make N = 80. This means that A(OP) must let you use incoming port 80 on OP. This can be easy if there is no web server running on OP already (port 80 is usually taken by a web server). In case there is a web server, A(OP) can tell you "no way I'm giving it up". Tell A(OP) that HTTHost has a "passthrough" feature that allows BOTH HTTHost and web server run on a same port (technically they aren't, but it looks like this from outside anyway). So if A(OP) does you a favour, you can both use port 80. Having N = 80 is a major (!) advantage. Having it not 80 can turn in troubles later. Try as hard as you can to make it 80.
Step 7. Ask A(OP) if and which outgoing TCP connections are allowed on the firewall. If they aren't, go to step 100. If only some of them are, you will only be able to tunnel to exactly that ports through this HTTHost. The reason is - when you are tunneling, HTTHost is your eyes and ears. If it's run on an OP which is locked out, you are effectively blind. High unhappiness warning.
Step 8. So, you are sure most of the outgoing connections can make through from OP. Let's do a quick check. While at OP, launch a browser, turn off the proxy in it (!) and surf to http://www.yahoo.com/ If you can't, A(OP) must have fooled you about the free availability of outgoing connections (specifically on port 80). In this case go to step 7.
Step 9. Yahoo got through. Still at OP, go to http://www.htthost.com/ and download latest HTTHost package. Unzip to any local directory. Run htthost.exe.
Step 10. On "Options" tab, in "Bind listening to" and "Bind external to" put either IP(OP) or DN(OP) what have you. Put N in "Bind listening to Port". If it's DN(OP) you entered, check the "Revalidate DNS names" checkbox. Put 777 in "Personal password". Check "Passthrough unrecognized requests to". In "Host name" and "Port" below the "passthrough" enter www.yahoo.com and 80 respectively. Click "Apply". See "Log" tab. There should be NO error messages. If you see "bind() failed" error, then N is wrong, as it's already taken by some other software. With bind() error, go to step 5. With any other error, go to step 200.
Step 11. Get to BP. Launch your browser of choice, make sure it's configured to use P, and surf to http://IP(OP):N/ or http://DN(OP):N/
Step 12. You should get Yahoo. It's actually HTTHost's passthrough working. Your browser's request gets to P, P sends it to OP, OP has HTTHost running at port N, and so the request gets to HTTHost. HTTHost sees that it can't handle that request, redirects it to Yahoo and sends you the result.
Step 13. If you get Yahoo at this point, you are nearly there. If there is no Yahoo, check and double check everything and try again. ... I mean - check it and try again. Don't just skip this and send a "help me now" mail.
Step 14. If you are getting no Yahoo, and all settings are correct, your proxy forbids you from surfing to http://OP:N/ altogether. HTTPort won't work. See what kind of an error browser reports. Most likely it's an "Access denied" sort of an error, and the cause is that N is not equal to 80. If N is not 80, go to step 6. Otherwise go to step 200.
Step 15. While at BP, install HTTPort. In "Proxy you want to bypass" enter IP(P) or DN(P) and in "Port" enter P's port (did I mention [?] button help ?). In "Use privileged host at" enter IP(OP) or DN(OP) and N. Set "User-Agent" to the browser you just tried. Set "Personal password" to 777. Go to "Mapping" tab. Add a mapping with local port "8888", remote host "www.yahoo.com" and remote port "80". Click Start.
Step 16. Go to your browser. TURN THE PROXY OFF. Having no proxy set in your browser, surf to http://127.0.0.1:8888. Have HTTPort handy with Mapping tab active so that you see the green/red LEDs. At this point you should get Yahoo in your browser, green LEDs in your HTTPort and Statistics counts incremented in HTTHost at OP. You may call A(OP) to get the stats checked (you are at BP now, remember ?).
Step 17. If you got Yahoo, go to step 300.
Step 18. You got no Yahoo. Go to step 200.
Step 100. Bad luck. Find a different OP and repeat from step 1.
Up
Personal HTTHost Installation /2 (15-Apr-03) by Targeted
Step 200. It doesn't work. Check everything. Check the whole chain:
Browser -(I)-> HTTPort -(II)-> P -(III)-> OP -(IV)-> HTTHost -(V)-> Yahoo
I. Check to see if you DID TURN OFF THE PROXY so that the browser doesn't ask P for 127.0.0.1. It won't work.
II. See if there are errors in HTTPort log. See if everything's entered correctly.
III. Check to see if you can surf from BP via P to OP. This is crucial. See step 11.
IV. See HTTHost log. If there are any, ask A(OP), he's the guy to ask. See HTTHost stats page, if connections are zeroed out, HTTHost doesn't get no requests, don't blame it and check III.
V. Let me repeat it again - OP must be an open computer (as in - being able to freely access Internet and be freely accessed from Internet), as much as possible. You say Yahoo can't be got from OP. What kind of an open computer is it ?
Still doesn't work ? Call guru. Nothing else helps.
Step 300. Wow ! You did it. Congratulations. Game over. Now ask yourself what was the reason you wanted HTTPort for and start reading FAQ. :)
Where to go from here ? Installing console version of HTTHost as system service at OP will probably make you and A(OP) much happier as it won't require a logon. There is another article in this newsletter on how to to it. Another good idea is to turn encryption on and change personal password in both HTTPort and HTTHost from 777 to something less guessable.
Finally, having port N = 80 at OP is probably as good as it gets. Having it 80 will save you from a lot of troubles. Not having it 80 can break on step 11, as P say "N ? Not 80 ? Forget it" and you get nothing. How to make it 80 ? Go to step 5 and kick A(OP) until incoming TCP port 80 is unused. Point A(OP) to HTTHost's passthrough feature. If A(OP) makes you a favour, both your HTTHost and his priceless web server (taking the port 80 on OP) can share port 80 peacefully. I won't explain using passthrough here. If A(OP) decides to go for it, he will make it work, it's obvious.
Well, that's pretty much it.
P.S. Please don't expect me to help you more. I can't be physically present at the spot and remote support is way too hard for me.
If you have corrections or additions, please drop me a line and I fix it.
Up
Tunneling mIRC with HTTPort (03-Apr-03) by crano
Hey all,
Many have experienced IRC tunnels dropping out. This is due to a ping timeout, and YES, it can be avoided. USING TIMERS!!!
in MIRC:
/timer0 0 20 /ctcp [yourself_here] PING
Obviously replace "[yourself_here]" with your handle...
Now this works because you are periodically sending CTCP packets to yourself asking for a ping feedback. You will then respond to yourself with the necessary ping response. The IRC server however, simply sees your ping and resets the timeout value.
And Tadda! No more dropouts...
Up
Installing HTTHost as a service (20-Feb-03) by Arjen
How to install HTTHOST as a system service under Windows XP/2000/NT
Step 1
Create a directory under your root and call it SRVANY and copy these two files:
SRVANY.EXE and INSTSRV.EXE into the SRVANY directory. You can get them here (http://bscw.gmd.de/Download/srvany.zip) as a zip file.
Step 2
Go to the DOS Command prompt and navigate to the SRVANY Directory. At the command prompt type:
INSTSRV HTTHOST c:/srvany/srvany.exe
Notice the second element on the command line "HTTHOST". This is the "name" of the service that you will create. Later, you will go to the control panel Services and will access the service by this name. More later. The point here is that since you are creating a name, you can call it anything you want.
Step 3
Start regedit.
Step 4
Open up the key HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/HTTHOST
Step 5
Right click on 'HTTHOST' and create a new key 'Parameters'
Step 6
Right click on 'Parameters' and create a new string 'Application'.
Step 7
Double-click on 'Application' and add the command to start-up the commandline-HTTHOST server, e.g.
"C:/htthost/htthostc.exe start"
Close it all up and exit the REGEDT32 program.
Step 8
Open the control panel Services and scroll to the HTTHOST line and double click on it. A dialog box opens up. Choose the Startup Type: Automatic (for unattended operation, this will allow the HTTHOST server to be active when there is no one logged on). Click on the Local System Account and dissable 'Service to Interact with Desktop' in the 'Log On As: section'.
Step9 (Final)
Press OK, and choose Close in the Services applet. You're done. Try first to start the service from the services applet. It should be started. If that works, you can test your setup by shutting down the machine properly and re-booting. HTTHOST will be active before you even log on. Try to access the HTTHOST Server now from another machine before you log on.
That's it.
Hint:
To stop the HTTHOST Server, enter in a DOS shell
>c:/htthost/htthostc.exe stop
This will terminate the server properly, e.g. it creates the tables necessary for the fast start-up mode.
Note: I have edited the info which originally came from http://bscw.gmd.de/bscwserv.html.
Installing htthost like above really works!
Up
HTTHost 1.7.0 Personal Edition (09-Dec-02) by Targeted
Ok, a year (!) later the new version of HTTHost is out. I don't have time to spare on this project, sadly.
Anyway, the new version is out. Version 1.7.0 adds a feature, raises up a crippling limit and changes distribution policy.
Feature:
+ You can now enter addresses to bind, allow connections from etc. not only as dotted IPs but also as DNS names. If you check the appropriate checkbox in options, the names will be requeried once a minute so that HTTHost automatically rebinds to the new IPs if they do change. This is done for home users with dynamic IP providers, their feedback has been heard. Please make sure you know what a DNS spoofing is when you enter a re-readable DNS name in "Allow connections from" field.
Limit:
+ 64 instead of 8 connections. See eula.txt for what this software may be used for.
x Status:
HTTHost is a giftware now. See the appropriate tab.
Thanks !
Up
WinMX woes (24-Jul-02) by Targeted
File sharing apps using HTTPort.
The FAQ says that you can use WinMX as the app of a choice. The only reason for that would be that it was the first (and the only so far) that I found to support SOCKS4. And it _does_ work with HTTPort (trust me ! trust me ! :) Just note that you can use ANY that supports SOCKS4.
Now, it appears to be that users tend to have problems with it. Ex. this message from TheDude here: http://www.htthost.com/ultraboard/UltraBoard.pl?action=Read&BID=3&TID=530&SID=23643
Let's take this as a case study.
First, whoever is asking questions about HTTPort, PLEASE, read FAQ question #2 and provide ALL the info.
Second, as I GUESS, TheDude uses public HTTHost server, which is heavily loaded and very slow (see another article), whereas I used one of the privileged servers (for registered users). Note that you should register or use a (free) personal server of your own if you want speed. The public server is your last chance and would normally be used for mail and instant messengers (i.e. few small packets). Bulk transfers through public host are out of question.
Third, the tests. Upon this article I tried both actually. It still does work fine with the privileged server. The speed is questionable, but it's always that way (please see another article), especially with p2p where it's difficult to estimate the other side's caps. It doesn't quite work with the public server. Like TheDude said, it connects and searches, but downloads time out. Actually, I have seen "connected, negotiating" message a couple of times, so it's not hopeless, but no downloads still. Note that even if they started, with the public server the speed would have been in range of 10bytes/sec, uhm, MP3s anyone ?
Finally, the results. How comes it doesn't work with public server ? I can't tell 100%, but here is what I think:
1. Public server is SLOW. Not only the traffic is shared among 100s of users, the timeouts are also large (3:6:9 for those who care). This means that typical send/recv takes about 10 sec. I would guess that such timeouts are too big to break internal logic of WinMX. Ex. - they thought the connection would be fast (man, who would ever imagine file sharing over a line with 10 sec latency ???)
Btw, the tests show different WinMX behaviour - ex. with slow server it does not even try to connect to HTTPort (so, when you see "waiting for network reply" it waits, but I don't know who is it waiting for and it certainly is not a connection to a file-providing-peer).
2. Public server has almost all the ports below 1024 blocked (as described here: http://www.htthost.com/service_limitations.htm). I do NOT think it's a problem for file sharing on ports like 6699, but still, it is another difference in public server from privileged or personal server.
So, please do not expect a lot for a free server. Register or install your own server and be happy.
If you care enough, contact WinMX, ask THEM and if you please, let me know the results.
Thanks.
Up
HTTPort 3.SNF (21-Jun-02) by Targeted
Ok, here goes another letter at the end of the version name. As you might have noticed, it means the significantly new release. On the other hand, the farther from the dot, the less significant the changes are.
So, what's new in HTTPort 3.SNF ?
The main added feature only works in "Remote Host" mode. It is sort of a smarter retry, if the request to HTTHost fails, HTTPort tries harder to still get the response. I have also lowered the retry timeouts so immediately upon a failure there is a burst of retries and hopefully one or another will get the job done.
If your sympthoms include random disconnects and failures within minutes upon HTTPort start, try the new version.
The new version works fine with the proxy I'm behind right now (the previous did not), so I believe it's better in some way.
There is a couple of cosmetic changes as well, like check the user-agent list - it's changed, and the key creation form does not require a mouse any more (there's been some feedback on that).
And as usual with most releases there is one or two minor bugfixes, nothing critical, but something like "oops ! this is gonna fail every once in a while".
Thanks.
Up
HTTPort 3.SN2 (25-Nov-01) by Targeted
New update on HTTPort - 3.SN2.
The only thing that changed is the format of the commands that go between HTTPort and HTTHost. The new HTTHost (1.6.0 and up) supports both formats. The old HTTHost (prior to 1.6.0) does not understand the new format, therefore if you are using personal HTTHost don't forget to download the new version.
I repeat - HTTPort 3.SN2+ will only talk to HTTHost 1.6.0+.
Up
HTTPort 3.SN1 (15-Aug-01) by Targeted
The new service release 3.SN1 fixes a single minor interface bug. It's been there for a long time and I knew about it, so finally decided to fix it.
The bug prevented the configuration (mappings and settings) from being saved when Windows was shutting down and HTTPort was running.
Technically, WM_ENDSESSION message was not handled properly. Now it's fixed I hope.
Up
Building VPN with H software (12-Aug-01) by Targeted
I will describe the way of creating a transparent TCP tunnel inside the firewalled LAN using HTTPort and HTTHost.
Technically speaking, this is not a VPN, it just creates an encrypted TCP connection upon request from outside. Basically, HTTPort to HTTHost link allows all sorts of TCP/IP redirection.
Let's assume we are having a firewalled LAN. PCs inside the LAN have IP addresses from a C-class pool 123.45.67.*, allocated either statically or with DHCP. Firewall allows some ports out and some ports in. In real life most firewalls allows all ports out and very few (if any) in.
What is really crucial, that your particular firewall allows at least one port in AND HTTP protocol is allowed in on that port. If either of these conditions are not met, you may not read further. In real life, firewall may allow incoming connections on port 80 (so that the staff can run web servers inside). This is ideal.
Now, your PC inside the LAN has an IP of 123.45.67.89 and it runs Windows 98+/NT/2000. Download HTTHost personal edition, unzip it and run on this PC. You may run either a GUI version or console version as a system service (if you can figure out how to use srvany).
HTTHost configuration is as follows:
- Bind to IP: 0.0.0.0
- Bind to port: exactly the port which your firewall allows in (80?)
- Client proxy IP: 0.0.0.0
- Bind SOCKS to IP: 123.45.67.89
- Personal password: your_favourite_wine
- Passthrough: off
- Local buffer: max
- Timeouts: min
You are almost done. Now get outside the LAN. Download HTTPort. Run it and configure as follows:
- Proxy you need to bypass: 123.45.67.89
- Port: the one HTTHost listens at
- Authorize: off
- User-Agent: any
- Bypass mode: Remote host
- Use personal host at: 123.45.67.89 (does not really matter)
- Port: the one HTTHost listens at (same note)
- Password: your_favourite_wine
- Run Socks4: check
- Full Socks: check
- Encryption: to taste
You are ready to go. What can you do ? Now your workstation at 123.45.67.89 performs as an outpost. Connection initiated by HTTPort from outside will be tunneled inside the LAN, and firewall will see only (optionally encrypted) HTTP traffic on HTTHost port.
Simple example, the nearby PC at 123.45.67.90 is running IRC server, configured so that it only accepts connections from inside LAN only. In outside HTTPort map local port 6667 to remote host 123.45.67.90 port 6667. Now, outside of LAN, when you point your IRC client to 127.0.0.1:6667 your connection gets tunneled to inside the LAN, and IRC server sees is like if it came from 123.45.67.89.
Another real-life example. Certain web-based resources allow to be administered only when request originates from the company proxy. The company proxy will not serve anyone outside the LAN. Now what I do is in HTTPort outside of LAN I map some local port to the company proxy and surf using 127.0.0.1:that_port. What happens is connection is tunneled inside the LAN and company proxy sees it incoming from HTTHost (which is inside the LAN) and therefore allows it. The web-based resource sees the connection incoming from company proxy and allows administration. But I'm in fact working from outside the LAN, from pretty much anywhere.
This all works like a generic TCP/IP redirector, and you may use any other redirector exactly the same way. The good thing about HTTPort to HTTHost link is that it uses HTTP protocol as transport which is normally considered by firewalls as "safe".
Three notes:
First, your admin will NOT like this. And strictly speaking this is a security violation. So, I'm not encouraging you to do this. Think about it as of a techical feature that works if there is no other way to open firewall ports. I'd recommend that you keep your network admin informed about all you do. And it's your decision and your responsibility.
Second, anybody can run HTTPort outside and connect to HTTHost that you just run. What about the security ? Two things can save you - one, it's your_favourite_wine (i.e. password that you have chosen in both HTTHost and HTTPort), two, it's "Client proxy IP" setting in HTTHost. Passwords is (as always) subject to guess. So, keep passwords good. You don't have to enter it more than once, so why not making it hu#84hEudh26dgE or alike ? "Client proxy IP" setting in HTTHost is even better if you can figure out what it means and what to set there :) I will not describe it here. It's described in the readme.txt for HTTHost.
Third, you might have a firewall with NAT. In this case internal LAN addresses become something like 192.168.x.x and obviously there will be no way to connect to it from outside. You can configure your NAT to redirect some external port (ex. 80) to one of the internal PCs. If there is such a redirection, connection made from outside to NAT:80 will be redirected to 192.168.A.B:80. If it is so, you still can create a VPN as decribed above, making slight changes in config:
In HTTPort:
Proxy to bypass: NAT external address
Port: redirected port
Use personal host at: 192.168.A.B (does not really matter)
In HTTHost:
Bind SOCKS to IP: 192.168.A.B
That's it. Enjoy.
Up
SLOW ? DISCONNECTS ? WHY ? (25-Apr-01) by Targeted
I'm being asked the same questions again and again, so I thought I would just summarize it here as a small article.
------------------------------------------------
1. Why HTTPort is so slow ?
HTTPort is NOT slow. What is slow, is the client-server tunneling (aka "Remote host" mode) in VERY heavy load conditions. Now, why is it slow ?
Two reasons.
-----------
First, you must understand how you calculate the speed.
If you are downloading a 10M file from the web, and your throughput is 100 bytes/sec, this IS slow. Data stream is supposed to run faster than that. And it IS running faster. And this is exactly the case I was talking about when saying in the FAQ "Your limit is 22 KBytes/sec." I meant STREAMING DATA.
But if you are sending an e-mail, what's being sent is actually 10 pieces of data, 20 bytes each. Let's say HTTPort sends 20 bytes, then waits 1/10 sec., and then receives 20 bytes. How would you calculate the speed in this case ? You've just sent and received total of 40 bytes over a 1/10 sec. period. Put plain it's just 400 bytes sec, but really, is it slow ? No, not at all. It's just how the mail protocol works.
-----------
Second, you must understand the way your data has to go.
Let's say you are surfing through HTTPort mapped remote server, and HTTPort uses "Remote host" bypass mode. Every request that your local browser issues, travels like this: Browser -> HTTPort -> Local Proxy -> HTTHost -> Remote Proxy -> Some Web Site. It's a HUGE overhead already. There is a lot of links in this chain.
The slowest link is HTTHost. Why ? Because it's a free public server. It runs on a fast dedicated line, on the fast hardware, and my software (HTTHost itself) is good, I'm proud of it, but you are not alone. There are hundreds of users with their browsers trying to push their data through the same pipe. What would you expect ? 1.5 MBit/sec. ? Of course not.
-----------
What can you do to make it faster ?
1. Use SSL/Connect mode in your HTTPort. This is your best bet. Unfortunately it's not always supported by proxies, and if it is not supported, there is nothing you can do about it, if only you don't hang out with the your proxy admin over a beer.
2. Install your own HTTHost. Requires that you have dedicated hardware with permanent Internet on outside of your proxy. This usually applies to western world, where cable modems and DSLs are common. Personal HTTHost WILL BE faster, because you can set it to lower timeouts, and the link is all yours.
3. Register, pay and use one of the payed HTTHosts available. Requires that you have a credit card and want to pay. Don't blame me for that. I don't own a clearing house, so I can't implement any other payment schemes other than provided by PayPal or other similar pals. And if you thought the fast dedicated network connection is free, think again. Connection WILL BE faster for registered users for the same reasons as in 2.
------------------------------------------------
2. Why something does not work as good as it should ?
For instance, MSN gets disconnected all the time, IRC disconnects sometimes etc.
First, I would like to point out - HTTPort is nothing but a tunnel, and it works. It transfers data.
All bad thing usually occur in the "Remote host" mode as well. The reason is simple - your connections are tunneled through the same server with those of other 100s of users. Now walk in IRC server's shoes - what would you see ? You would see that there is a computer out there (the server running public HTTHost), which has 100s of users trying to connect to you. Who would you like best ? Alice or Bob ? Or may be Charlie ? You just can't allow all of them use you at the same time.
Technically speaking, when you are tunneling a connection, HTTHost IS YOU. Your identity is moved to another place. Good - it's anonimity itself. Bad - you are not alone (again).
Some protocols, like MSN may use IP address as a unique attribute of a user. Others like IRC, may limit the number of users that is allowed to log in from a single IP address.
Let you be IRC server again. You allow as many as 2 users to log in from the same IP address. Alice logs in via HTTPort. OK. Bob logs in via HTTPort. OK. Charlie logs in via HTTPort. What do you do ? Disconnect Alice ? Deny Charlie ? It's up to you to decide, but somebody out there WILL BE unhappy.
-----------
What can you do to ease this pain ?
Exactly the same three things as above.
Up
HTTPort 3.SN (28-Mar-01) by Targeted
The new version of HTTPort is released. The new version features:
----------------------------------
1. NTLM and other authentication schemes support.
HTTPort can now bypass a proxy which has a domain/username/password authentication AKA NTLM authentication. Any other authentication scheme which is supported by Windows (Internet Explorer) should be handled by HTTPort.
This is how it works:
You specify in HTTPort that your proxy requires authorization (by checking the Authorize checkbox and entering your username and password in proper fields).
HTTPort attempts to use simplest Basic authentication scheme with proxy. If it fails, HTTPort says, "Ok, I tried." and switches to a different mode of operation, where it fully relies on Internet Explorer engine to make requests. From this point on, HTTPort does not care about any authentication. If Internet Explorer can make it through - great. If not - pity.
Note: NTLM support is only enabled in "Remote host" bypass mode.
----------------------------------
2. Improved protocol.
HTTPort to HTTHost tunnel is now more resistant to temporary proxy faults and glitches.
----------------------------------
3. Privileged user status.
When you register, using [Register] button, get to the registration web page and pay (yes, this feature is NOT free), you are authorized to use one of the "privileged hosts". Privileged hosts are faster for the following reasons:
- They are built with smaller internal timeouts and delays.
- They work on a separate hardware.
- They work on a separate Internet pipes.
- They are shared by few users only, not by hundreds, like public hosts.
----------------------------------
Those of you who use personal edition of HTTHost may want to download the new version 1.5.0. All versions of HTTPort and HTTHost are backwards and forwards compatible, but it's recommended that you use HTTPort 3.SN with HTTHost 1.5.0.
Thank you for using this software and enjoy.
Up
Encryption in HTTPort 3 (23-Mar-01) by Targeted
When you turn encryption on in HTTPort, all data that your applications transfer through HTTPort goes between HTTPort and HTTHost encrypted.
Before two parties can establish an encrypted channel, they both must know the same secret key. This key is used for encryption on one end and decryption on the other end and vice versa.
Since you just created your own random key, nobody may have known it beforehand, so there must be a way of transferring it to the HTTHost server, before it can decrypt your traffic.
The process of transferring key that one party knows to the other party is called key exchange or key negotiation. Different algorithms are used in transferred data encryption and in key negotiation.
HTTPort uses Blowfish for bulk data encryption and RSA during key exchange or negotiation.
The public domain DCPCrypt library (c) David Barton is used for Blowfish and RMD-160. Own implementation of RSA is used.
For more info on Blowfish, visit http://www.counterpane.com/blowfish and for RSA go to http://www.rsasecurity.com/
-----------------------------------
This is how it works:
You create your random Blowfish key:
1. You draw something on the pad.
2. This pad is actually a bit array. HTTPort calculates RMD-160 hash function of that array.
3. This hash data is a seed for a random number generator. HTTPort uses XORed outputs of regular C rand() and Mersenne Twister generator. rand() takes another 32 bits of seed (current time). I'm aware that these 32 bits are not random at all, so saying 192 bit is a little hype, you may think of just 160 bits.
4. 24 random bytes are generated and this becomes your key, denoted as Bk.
Key negotiation:
(Me, Md) is the master RSA key. Em and Dm is Master RSA encryption and decryption respectively.
(He, Hd) is a HTTHost RSA key. Eh and Dh is HTTHost RSA encryption and decryption respectively.
H is a hash function (derived from RMD-160).
1. All HTTPorts go with Md. All HTTHosts go with Hd and precalculated Em(He).
2. HTTPort sends H(Bk) to HTTHost.
3. HTTHost checks its key cache to see if the key with that hash is already known. If it is, go to 10.
4. If not, HTTHost responds with Em(He).
5. HTTPort calculates Dm(Em(He)) = He using Md.
6. HTTPort calculates Eh(Bk) using He and sends it to HTTHost.
7. HTTHost calculates Dh(Eh(Bk)) = Bk using Hd.
8. HTTHost responds with H(Bk).
9. HTTPort checks the hash to match. If it matches, both sides have the key.
10. Bk is used for generating a Blowfish key schedule.
11. From that point, every request that goes from HTTPort to HTTHost has an additional parameter H(Bk). Both HTTPort and HTTHost know the key schedule for key with that hash, and they both encrypt to that key schedule using Blowfish in CBC mode with zero IV.
This is a very simplistic approach, it can only thwart a rather chaotic and resource limited atacker. The main purpose of the described encryption is to prevent proxy admins from recovering the plaintext data being transferred by examining the proxy logs. This task is solved all right, unless they are really up to it, with 2^128 calculations and such.
On the other hand, it won't save you from other problems, for instance, it has no tampering protection (checksum, hash or anything) and it falls to the replay attack and other because the key does not ever change (unless you manually generate another one afresh).
This is not to mention that if you are using personal edition of HTTHost and didn't order your own RSA key on the site, you are using the same RSA key pair as the rest of the world does. This RSA key pair is used as an armoured transport during randomly generated key transfer to the HTTHost server. Now, if the attacker manages to intercept those few HTTP requests that carry the (RSA encrypted) Blowfish key, she could easily recover the key by knowing the RSA key. But if these first requests went unnoticed, the key has been delivered safely and RSA key knowledge makes no good at all as it's not used any more.
Be careful. HTTPort does encrypt the data, but see for yourself whether this is good enough for you.
Up
HTTPort 3.S1 (08-Feb-01) by Targeted
The service release 3.S1 is available for downloading. Major "FTP upload through SOCKS" bug is fixed. Minor interface bug is fixed.
Up
HTTPort 3 and FTP problems (08-Feb-01) by Targeted
Since version 3.S it's possible to use local FTP clients through HTTPort. The suggested way of doing this is pointing the FTP client to 127.0.0.1:1080 as a SOCKS4 server.
There has been recently reported a problem, which turned out to be a bug in HTTPort code. When uploading files with FTP via HTTPort, the uploaded files have invalid length or just do not appear where they are supposed to appear.
This bug is fixed in version 3.S1 (service release 1). So everyone is invited to download the updated version.
-----------------
Yet upon closer look I've found another problem with FTP, and this is not an HTTPort problem, but rather FTP clients feature aka bug. Well, it's not a bug, it's rather an inconsistent behaviour.
This problem arises in "Remote host" mode only.
-----------------
Here is the technical description of the problem:
FTP deals with (at least) two channels (links) being opened between client and server.
The main (control) link to the FTP server is used for sending commands.
Additional links are being opened whenever necessary for downloading or uploading files.
Most of the feature-rich FTP clients allow you to turn on "Keep-alives" on control link. Keep-alive is just a periodic "ping", sent through connection with no other reason but to prevent the connection from being closed as idle.
Now let's say we have an open control FTP link through HTTPort and HTTHost (remote host mode only !). If nothing's going on, keep-alives are being sent and everything's ok.
Now we start uploading a big file. Another link is being opened and data transfer starts.
The problem is - CuteFTP stops sending keep-alives through the control link when there is a data transfer through a data link.
From HTTHost (remote host) point of view, there are two tunneled links. One has been sending keep-alives but just recently it stopped doing this. The other is active and some data is transferred through it.
There is no way the HTTHost can associate these two together, so the first link is considered idle and is closed upon timeout expiration.
CuteFTP sees control link being terminated and closes everything, terminating data transfer in progress.
Luckily this only happens with uploading, because CuteFTP uses the control link itself for downloading files. This means that the connection is not idle, it transfers data and HTTHost does not close it.
So, unless your FTP client properly keeps alive all its connections, you can only upload a file small enough to be uploaded before HTTHost timeout expires.
There is no obvious way around this problem.
Up
HTTPort version 3.S (29-Jan-01) by Targeted
Ok, the new version of HTTPort is here after all. I still have a couple of ideas on how to improve this software, but at it's current state it's just good to go.
Here is what you might want to know about the new version of HTTPort:
---------------------------------------------
1. It now has a built-in SOCKS4 server. This means that whatever local software you have that may be connected through SOCKS4 proxy, may be connected directly through HTTPort. And among others this includes ICQ and FTP. Good news, I believe.
SOCKS support makes HTTPort superior to SOCKS2HTTP application, because S2H only has SOCKS support, and it does not have HTTPort's original port mapping concept (well, it didn't when I tried it last time).
I wouldn't go for SOCKS5 support, mainly because the only difference is that SOCKS5 defines methods for tunneling UDP, whereas HTTPort is incapable of working with UDP at all. So there is no point of pretending somebody is capable of SOCKS5 when in fact it's SOCKS4.
---------------------------------------------
2. It has strong traffic encryption. Well, I like this feature too. In prior version (2.2) when you use "Remote Host" mode (i.e. have your data transferred through remote HTTHost server), your data and destination routes are logged in your proxy logs, and administrator can decode it and see what you are actually doing.
With the new version, when you turn encryption on, all traffic that goes between HTTHost and HTTPort, including the data and host addresses is encrypted using strong cryptographic algorithms. RSA 1024 bit is used for key exchange, Blowfish 192 bit is used for actual encryption. I wouldn't say it's theoretically impossible to break this, but for the time being it's fine.
And yes, I repeat it one more time - strong crypto is illegal and/or controlled in certain countries. Be aware that using "strong encryption" feature will break the law there. Nevertheless since you don't turn this feature on, I'd say it's ok to use HTTPort even in those countries. I could be wrong though, mainly because of cryptographic import restrictions. See, even if you don't use it, you are bringing it in (importing) into the country...
---------------------------------------------
3. Now you may download and use your own little HTTHost server. This feature is my favourite :)
HTTPort was designed to be capable of using any public HTTHost available out there. You don't see it, but HTTPort can dynamically select a host from a so-called "known hosts list". This is how it works normally. This is the default behaviour and for most of the users out there it's the only way.
I recommend that you leave personal HTTHost alone unless you know exactly what you are doing.
This is how personal HTTHost works:
You must have the PC with full Internet access outside your proxy at which you can install HTTHost.
Let's say you want to bypass your proxy at work. And at home you have a PC connected to the Internet with cable or DSL. Or you have your friend's server which is also connected, etc.
First you configure and run HTTHost at your PC at home (or, at your friend's etc.). You must know the address of the PC at which the HTTHost is running. Well, since you are thinking about setting up your own server software I hope you know this stuff a little.
Then you set up HTTPort at work to use personal host at that address. From this point all your traffic will go to that personal host only. If you have worried about the security of your data being transferred through public hosts - you may relax now. I just can't help myself being bad - do you know that Internet is an open network ? Anybody can observe your data if it's not encrypted. Now relax if you can :)
Note that access to personal HTTHost is protected with password. Yet, anybody can _try_ to use your HTTHost. And if they succeed (because of password match), they can use _your_ personal host to do just anything - like sending spam or breaking sites - _on_your_behalf_. Therefore be cautious and remember - it's only your responsibility.
Well, that's all what I wanted to say.
Thank you for reading this and enjoy this software.
Up
To post a message, register first.
Hosted by SSI Micro
To post a message, register first.
Contents:
"HTTPort/HTTHost speed (again)" by Targeted �
"HTTPort 3.SNFM and HTTHost 1.8.0" by Targeted �
"Running HTTHost under Unix" by Targeted �
"HTTPort 3.SNF2 and SDK 1.3.19" by Targeted �
"HTTHost 1.7.1 and SDK 1.3.18" by Targeted �
"HTTPort 3.SNF1" by Targeted �
"Personal HTTHost Installation /1" by Targeted �
"Personal HTTHost Installation /2" by Targeted �
"Tunneling mIRC with HTTPort" by crano �
"Installing HTTHost as a service" by Arjen �
"HTTHost 1.7.0 Personal Edition" by Targeted �
"WinMX woes" by Targeted �
"HTTPort 3.SNF" by Targeted �
"HTTPort 3.SN2" by Targeted �
"HTTPort 3.SN1" by Targeted �
"Building VPN with H software" by Targeted �
"SLOW ? DISCONNECTS ? WHY ?" by Targeted �
"HTTPort 3.SN" by Targeted �
"Encryption in HTTPort 3" by Targeted �
"HTTPort 3.S1" by Targeted �
"HTTPort 3 and FTP problems" by Targeted �
"HTTPort version 3.S" by Targeted �
HTTPort/HTTHost speed (again) (09-Dec-04) by Targeted
The main design decision which basically made HTTPort what it is was the wish to keep it invisible and indistinguishable from the "normal" HTTP traffic generated by a "normal" user agent (browser). Therefore, HTTPort talks to HTTHost with a sequence of independent HTTP GET requests, each having a short lifetime and returning very limited amount of data.
Therefore HTTPort and HTTHost talk via a sequence of regular HTTP GET requests. A request is always initiated by the client. Each request contains protocol data and possibly (with 'send' protocol command) some tunneled data flowing from the client to the server. Each response in turn contains protocol data and possibly (when responding to 'recv' protocol command) some tunneled data flowing from the server to the client. One thing to note here - no matter if HTTHost server has data to be sent to the client, it still has to wait until a 'recv' request arrives from the HTTPort. This is known as polling and is also an important architectural decision.
Now, network "speed" is a sum of two things - throughput and latency.
Note however that there are parts that will always be there and can't be avoided. These are delays imposed by the proxy, and by the network. No matter what you do, those two are always there and add significantly. I will be using N for the average number of requests per second the proxy being tunneled can get through from any given client to any given server. I'd say this is normally well under 10. Evenly significant is the fact that HTTPort/HTTHost exist to tunnel traffic to some 3rd server, and it's speed and availability are of utter importance too.
So, THROUGHPUT:
There is one thing that significantly cripples _sending_ throughput capability. Remember that client tunneled data is sent embedded within an HTTP GET request. But HTTP GET request is sort of limited with places where such auxiliary information can be inserted. HTTPort can use two places for data insertion - one (default) optimistic and one (if optimistic fails) pessimistic.
* Optimistic: embed data as a separate request field. Example - if the client sends tunneled plaintext SMTP data "HELO myname", this data is base64 encoded (which gives "SEVMTyBteW5h") and added to the request like this:
GET /protocol-specific-url(field=Qwerty) HTTP/1.1
Host: htthost.server
Qwerty: SEVMTyBteW5h
where Qwerty is a random field name. This is a valid and working approach, but it's still limited in that you can't make request header fields arbitrary large, or proxies would start to deny it. For instance, Squid had a default limit of 10K for request header last time I checked. In HTTPort the maximum length of data to be sent from client to the server within a single request field is controlled with MAX_HTTP_SEND_QUOTA constant which is 2048 by default. This means that no matter what you do, speed of sending client data to the server won't exceed 2K * N / sec
* Pessimistic: an HTTP proxy (Squid is a fine example) can be configured so that it accepts only requests with known fields, or removes unknown fields. In Squid config this option is called "paranoid". In the above example the proxy would have removed the Qwerty header field thus making it impossible to send data. HTTPort detects such an unfortunate case and switches to another mode of sending, where the data is embedded in the URL itself, like this:
GET /protocol-specific-url(data=SEVMTyBteW5h) HTTP/1.1
Host: htthost.server
As you might guess, the URL is also limited in size by most proxies and this limit is even more severe. In HTTPort the amount of data to send within URL per request is not compiled in, but set at runtime instead. This is what DataOverride option in the ini file is for, it contains that number of bytes to be sent within a URL. You can increase this parameter but hardly above 1024. Even in this case, the absolute top speed for sending data would be 1K * N /sec.
There is one more constant left which controls throughput and this time it's server-to-client transfers. The AVG_HTTP_RECV_QUOTA compiled in HTTHost controls the average number of bytes that is encoded within a single response to 'recv' request, it equals 32K by default, therefore HTTPort can't fetch more than 32K per request. Given that the data is transferred in BASE64 encoded form, this makes about 22 * N K/sec top download throughput.
Then, LATENCY:
To lower latency you basically need to decrease all the timeouts there are, but then there's something to bite you in return. For example if you remove all the timeouts, HTTPort starts sending requests to HTTHost like crazy, overloading proxy and network. Who cares if it's for purpose, ex. you are up to something important and it really matters. But consider there's no data to send in either direction (the tunnel is idle). As HTTPort uses polling it still needs to send an HTTP request to HTTHost just to make sure there's (no) data to be received. And as you have removed all the timeouts, this polling will be seen by the proxy as a constant endless stream of HTTP requests, which eats a lot of bandwidth, hence $$. Also pretty suspicious to the admin, while HTTPort was designed as an invisible tool.
There also are protocol timeouts are controlled exclusively by the HTTHost. Each time a request arrives from HTTPort, HTTHost processes it and returns a response. The response contains a number of seconds this HTTPort has to wait before issuing next request. The actual number returned depends on whether there is more data for the client to fetch or not. If there is, MIN_DELAY is returned, if there was, but it's all fetched with current request, MID_DELAY, and if there is totally no data, MAX_DELAY. This setting is controlled in HTTHost on the Options page using Timeouts dropdown field.
Up
HTTPort 3.SNFM and HTTHost 1.8.0 (15-Jan-04) by Targeted
As of January 14, 2004, the new versions of both HTTPort and HTTHost are released. Leaving detailed description of changes to the changelog, I will focus on the main change:
HTTPort and HTTHost talk using their own protocol. The messages of that protocol have to go through the proxy and they are therefore hidden inside valid HTTP GET requests/responses. The way those requests are encoded hasn't changed since version 3.SN2, which is over 2 years back already. This encoding is pretty good actually, it's random and has no patterns in the URL, but the responses are sort of simplistic (fake HTML pages), but who cares since it works. How many proxies out there will go for on-the-fly HTML analysis ?
Now, there goes the change - I have moved all the requests/responses encoding code to the external DLL, which is available with sources. So, if you want to turn your HTTPort traffic into anything HTTP-based, go right ahead, modify the code, build the DLL, copy it to both your HTTPort and HTTHost and away you go. And yes, you have to run your own HTTHost to modify the encoding DLL.
For the same reason, support for custom user-defined "User-Agent" request header field has been added. To specify your own user agent, set "User-Agent" dropdown to "None/Custom", then close HTTPort and edit httport.ini, specifically it's CustomUserAgent=... entry.
For the same reason, support for any other user-defined request header fields has been added. To specify your own fields, edit file httport.hdr.
Up
Running HTTHost under Unix (08-Jan-04) by Targeted
As mentioned on the main site, after recent happy move to FreeBSD, Technology Networks now runs HTTHosts (native Win32 apps) under Win32 binary emulator Wine http://www.winehq.com/
I don't know any details on how it's done, but as far as I know it wasn't difficult at all - install, copy HTTHost, copy all required DLLs and off it goes. I hope Mike posts a detailed article here soon. For now I'd suggest that you simply try running it under Wine following the standard Wine procedures.
Up
HTTPort 3.SNF2 and SDK 1.3.19 (01-Sep-03) by Targeted
Version 3.SNF1 of HTTPort introduced a bug. That version started to exclusively use WinInet for handling HTTP requests. The WinInet module appeared to silently assume that HTTHost always runs on port 80 - the HTTHost port number was not passed properly. All worked fine except for when HTTHost runs on different port - in which case it didn't work at all. Same problem was true for SDK 1.3.16+ I believe.
Now, version 3.SNF2 (1.3.19 for SDK) fixes the problem, and HTTHosts can be run on any port.
Up
HTTHost 1.7.1 and SDK 1.3.18 (03-Jun-03) by Targeted
The server component for HTTPort (HTTHost) is updated, it's version 1.7.1 now. No bugfixes, just a default behaviour change.
In case the target server (the one being tunneled to) is too slow (slower than top HTTPort upload speed, which is 2KBytes times HTTPort-HTTHost requests per second), HTTPort keeps sending data to HTTHost, the local buffer gets full and HTTHost drops the connection. This was the by design behaviour to begin with, but I've long forgotten this and got furious when it hit. So I've done two things - (1) increased the size of the local per-connection buffer (see "Options" tab), which is sort of a stupid and (2) fixed HTTHost to activate maximum timeout whenever data HTTPort arrives and the buffer is not empty. This will delay the next send attempt by at least 2 seconds, thus giving the slow peer time to pick up it's data.
Changes in the SDK reflect both. HTTPort.DLL only has the "Last FTP send" bug fixed (it was using WinInet only since long ago). SDK HTTHost changed in exactly the above described ways.
That's it. Thanks !
Up
HTTPort 3.SNF1 (28-May-03) by Targeted
HTTPort 3.SNF1 is released almost a year after the previous 3.SNF. Again, I have nearly no time to spare on this project.
So, what's changed ?
1. I fixed (I think I did :) the infamous "no config save on system shutdown". Guess what ? Delphi didn't call "FormDestroy" event when the application was hidden. I use old Delphi 5, so this may be the problem, but still. Moved the cleanup code to "FormClose" event handler instead.
2. What's bugged me even more is the worse "last FTP send" bug. When uploading small files with FTP, the last bytes have been lost sometimes, the file was thus truncated. The problem turned out to be that when the connection was closed on the client side, the mapping thread saw an error and discarded all the queued HTTP requests on the connection, even if there was a pending send. Stupid bug but fix wasn't obvious. Had to fix the queue so that the requests can be ordered, and another thread won't pick a disconnect request before a pending send is complete.
3. Removed everything Ad/Banner related. You can see this by changes in eula.txt and the httport.sup file absence. The setup file has shrunk by ~200K which is good too. Banners never actually worked in the field, which is strange, especially given the amount of work it required to build. BUT ! :) I have included a clickable "Send a Gift" URL which points to the same wishlist the HTTHost's URL does.
4. All the requests are now made with WinInet engine. Native low level GETs code is totally removed. The UseWinInet setting has vanished from httport.ini.
So, please try the new version and see if it's any better. Thanks.
Up
Personal HTTHost Installation /1 (16-Apr-03) by Targeted
Here is the step by step instructions on how to install personal HTTHost. It would certainly be great if I could write such an instructions for people with no networking knowledge. Unfortunately, I just can't. I have to use proper terminology and assume you know some basic facts. What I suggest you do if you don't, is find a friend who does. Asking someone who knows is by far the best way of installing software. So, please have your guru friend handy at all times.
If at some point you say "pfff... I don't need that as I know better than that guy", sure go right ahead. It's YOUR problem after all.
Having said all that, let's begin.
For any computer X, let IP(X) be an IP address of that computer. To determine IP(X) locally (while sitting behind X), use ipconfig.exe or winipfg.exe utilities (simply launch them from command line and check the output).
c:> ipconfig.exe
c:> winipcfg.exe
For any computer X, let DN(X) be a Domain Name of that computer (ex. www.yahoo.com or irc.somenet.com). Not all X's have DN(X), but some of them do. DN(X) can be resolved into IP(X) using nslookup utility. Run it from command line like
c:> nslookup DN(X)
and you get IP(X)
For any computer X, let A(X) be an Administrator of that computer, that is, a real person who is responsible for it and/or owns it.
Let BP be a computer Behind a Proxy. It's probably YOUR PC, it's blocked behind a proxy/firewall and you are totally not happy with it.
Let P be a Proxy. Finding P can be trickier. See HTTPort help on finding P (use [?] button on proxy fields and read through).
Step 1. Find a computer outside a proxy (OP) running Windows 98/NT/2K/XP. I can see three possibilities - OP can be run (1) at your home on some sort of cable or DSL OR (2) same but at your friend's home OR (3) at some company run by a friend of yours in a rack, connected with permanent lease line. Note: OP connected with a telephone line modem is nearly out of question. I wouldn't even try.
Check if you are still here with the cases above:
(1) A(OP) = you
(2) A(OP) = your friend
(3) A(OP) = some long haired guy
In all cases, two people will help you if you are stuck - A(OP) and some other guru friend.
The worst case would be (1), where A(OP) are yourself. I will discuss that case separately below. I suggest that you still read the steps through.
Step 2. Ask A(OP) for IP(OP). If IP(OP) is one of the following: 192.168.x.x, 10.x.x.x, 172.16.x.x, then it's a no go, the server doesn't have an external IP address. It means OP is itself blocked with not just a firewall, but NAT which is worse. There are ways around NAT, like port redirection, but it's way too heavy to discuss here. Ask again or go to step 100.
Step 3. Ask A(OP) if IP(OP) is a static or dynamic. Static means that it's been assigned once and doesn't change in time. Dynamic means that it's being allocated periodically (most often - whenever OP is starting) and can change from time to time. Dynamic addresses typically get allocated with DHCP (Dynamic Host Configuration Protocol). If it's static go to Step 5.
Step 4. Something about OP must be static. It's not IP, then it must be DN. Ask A(OP) for DN(OP). If there is none, go to step 100.
Step 5. Ask A(OP) if OP is behind a firewall or not. If not, go to step 7, otherwise ask A(OP) if any unused TCP port is open on the firewal for incoming connections. If not, ask A(OP) if it's possible to open one. If not, go to step 100. Ask for the number of the port.
Step 6. Now we have at least one open incoming TCP port N. Write IP(OP) or DN(OP) and N down. Next thing to do is to make N = 80. This means that A(OP) must let you use incoming port 80 on OP. This can be easy if there is no web server running on OP already (port 80 is usually taken by a web server). In case there is a web server, A(OP) can tell you "no way I'm giving it up". Tell A(OP) that HTTHost has a "passthrough" feature that allows BOTH HTTHost and web server run on a same port (technically they aren't, but it looks like this from outside anyway). So if A(OP) does you a favour, you can both use port 80. Having N = 80 is a major (!) advantage. Having it not 80 can turn in troubles later. Try as hard as you can to make it 80.
Step 7. Ask A(OP) if and which outgoing TCP connections are allowed on the firewall. If they aren't, go to step 100. If only some of them are, you will only be able to tunnel to exactly that ports through this HTTHost. The reason is - when you are tunneling, HTTHost is your eyes and ears. If it's run on an OP which is locked out, you are effectively blind. High unhappiness warning.
Step 8. So, you are sure most of the outgoing connections can make through from OP. Let's do a quick check. While at OP, launch a browser, turn off the proxy in it (!) and surf to http://www.yahoo.com/ If you can't, A(OP) must have fooled you about the free availability of outgoing connections (specifically on port 80). In this case go to step 7.
Step 9. Yahoo got through. Still at OP, go to http://www.htthost.com/ and download latest HTTHost package. Unzip to any local directory. Run htthost.exe.
Step 10. On "Options" tab, in "Bind listening to" and "Bind external to" put either IP(OP) or DN(OP) what have you. Put N in "Bind listening to Port". If it's DN(OP) you entered, check the "Revalidate DNS names" checkbox. Put 777 in "Personal password". Check "Passthrough unrecognized requests to". In "Host name" and "Port" below the "passthrough" enter www.yahoo.com and 80 respectively. Click "Apply". See "Log" tab. There should be NO error messages. If you see "bind() failed" error, then N is wrong, as it's already taken by some other software. With bind() error, go to step 5. With any other error, go to step 200.
Step 11. Get to BP. Launch your browser of choice, make sure it's configured to use P, and surf to http://IP(OP):N/ or http://DN(OP):N/
Step 12. You should get Yahoo. It's actually HTTHost's passthrough working. Your browser's request gets to P, P sends it to OP, OP has HTTHost running at port N, and so the request gets to HTTHost. HTTHost sees that it can't handle that request, redirects it to Yahoo and sends you the result.
Step 13. If you get Yahoo at this point, you are nearly there. If there is no Yahoo, check and double check everything and try again. ... I mean - check it and try again. Don't just skip this and send a "help me now" mail.
Step 14. If you are getting no Yahoo, and all settings are correct, your proxy forbids you from surfing to http://OP:N/ altogether. HTTPort won't work. See what kind of an error browser reports. Most likely it's an "Access denied" sort of an error, and the cause is that N is not equal to 80. If N is not 80, go to step 6. Otherwise go to step 200.
Step 15. While at BP, install HTTPort. In "Proxy you want to bypass" enter IP(P) or DN(P) and in "Port" enter P's port (did I mention [?] button help ?). In "Use privileged host at" enter IP(OP) or DN(OP) and N. Set "User-Agent" to the browser you just tried. Set "Personal password" to 777. Go to "Mapping" tab. Add a mapping with local port "8888", remote host "www.yahoo.com" and remote port "80". Click Start.
Step 16. Go to your browser. TURN THE PROXY OFF. Having no proxy set in your browser, surf to http://127.0.0.1:8888. Have HTTPort handy with Mapping tab active so that you see the green/red LEDs. At this point you should get Yahoo in your browser, green LEDs in your HTTPort and Statistics counts incremented in HTTHost at OP. You may call A(OP) to get the stats checked (you are at BP now, remember ?).
Step 17. If you got Yahoo, go to step 300.
Step 18. You got no Yahoo. Go to step 200.
Step 100. Bad luck. Find a different OP and repeat from step 1.
Up
Personal HTTHost Installation /2 (15-Apr-03) by Targeted
Step 200. It doesn't work. Check everything. Check the whole chain:
Browser -(I)-> HTTPort -(II)-> P -(III)-> OP -(IV)-> HTTHost -(V)-> Yahoo
I. Check to see if you DID TURN OFF THE PROXY so that the browser doesn't ask P for 127.0.0.1. It won't work.
II. See if there are errors in HTTPort log. See if everything's entered correctly.
III. Check to see if you can surf from BP via P to OP. This is crucial. See step 11.
IV. See HTTHost log. If there are any, ask A(OP), he's the guy to ask. See HTTHost stats page, if connections are zeroed out, HTTHost doesn't get no requests, don't blame it and check III.
V. Let me repeat it again - OP must be an open computer (as in - being able to freely access Internet and be freely accessed from Internet), as much as possible. You say Yahoo can't be got from OP. What kind of an open computer is it ?
Still doesn't work ? Call guru. Nothing else helps.
Step 300. Wow ! You did it. Congratulations. Game over. Now ask yourself what was the reason you wanted HTTPort for and start reading FAQ. :)
Where to go from here ? Installing console version of HTTHost as system service at OP will probably make you and A(OP) much happier as it won't require a logon. There is another article in this newsletter on how to to it. Another good idea is to turn encryption on and change personal password in both HTTPort and HTTHost from 777 to something less guessable.
Finally, having port N = 80 at OP is probably as good as it gets. Having it 80 will save you from a lot of troubles. Not having it 80 can break on step 11, as P say "N ? Not 80 ? Forget it" and you get nothing. How to make it 80 ? Go to step 5 and kick A(OP) until incoming TCP port 80 is unused. Point A(OP) to HTTHost's passthrough feature. If A(OP) makes you a favour, both your HTTHost and his priceless web server (taking the port 80 on OP) can share port 80 peacefully. I won't explain using passthrough here. If A(OP) decides to go for it, he will make it work, it's obvious.
Well, that's pretty much it.
P.S. Please don't expect me to help you more. I can't be physically present at the spot and remote support is way too hard for me.
If you have corrections or additions, please drop me a line and I fix it.
Up
Tunneling mIRC with HTTPort (03-Apr-03) by crano
Hey all,
Many have experienced IRC tunnels dropping out. This is due to a ping timeout, and YES, it can be avoided. USING TIMERS!!!
in MIRC:
/timer0 0 20 /ctcp [yourself_here] PING
Obviously replace "[yourself_here]" with your handle...
Now this works because you are periodically sending CTCP packets to yourself asking for a ping feedback. You will then respond to yourself with the necessary ping response. The IRC server however, simply sees your ping and resets the timeout value.
And Tadda! No more dropouts...
Up
Installing HTTHost as a service (20-Feb-03) by Arjen
How to install HTTHOST as a system service under Windows XP/2000/NT
Step 1
Create a directory under your root and call it SRVANY and copy these two files:
SRVANY.EXE and INSTSRV.EXE into the SRVANY directory. You can get them here (http://bscw.gmd.de/Download/srvany.zip) as a zip file.
Step 2
Go to the DOS Command prompt and navigate to the SRVANY Directory. At the command prompt type:
INSTSRV HTTHOST c:/srvany/srvany.exe
Notice the second element on the command line "HTTHOST". This is the "name" of the service that you will create. Later, you will go to the control panel Services and will access the service by this name. More later. The point here is that since you are creating a name, you can call it anything you want.
Step 3
Start regedit.
Step 4
Open up the key HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/HTTHOST
Step 5
Right click on 'HTTHOST' and create a new key 'Parameters'
Step 6
Right click on 'Parameters' and create a new string 'Application'.
Step 7
Double-click on 'Application' and add the command to start-up the commandline-HTTHOST server, e.g.
"C:/htthost/htthostc.exe start"
Close it all up and exit the REGEDT32 program.
Step 8
Open the control panel Services and scroll to the HTTHOST line and double click on it. A dialog box opens up. Choose the Startup Type: Automatic (for unattended operation, this will allow the HTTHOST server to be active when there is no one logged on). Click on the Local System Account and dissable 'Service to Interact with Desktop' in the 'Log On As: section'.
Step9 (Final)
Press OK, and choose Close in the Services applet. You're done. Try first to start the service from the services applet. It should be started. If that works, you can test your setup by shutting down the machine properly and re-booting. HTTHOST will be active before you even log on. Try to access the HTTHOST Server now from another machine before you log on.
That's it.
Hint:
To stop the HTTHOST Server, enter in a DOS shell
>c:/htthost/htthostc.exe stop
This will terminate the server properly, e.g. it creates the tables necessary for the fast start-up mode.
Note: I have edited the info which originally came from http://bscw.gmd.de/bscwserv.html.
Installing htthost like above really works!
Up
HTTHost 1.7.0 Personal Edition (09-Dec-02) by Targeted
Ok, a year (!) later the new version of HTTHost is out. I don't have time to spare on this project, sadly.
Anyway, the new version is out. Version 1.7.0 adds a feature, raises up a crippling limit and changes distribution policy.
Feature:
+ You can now enter addresses to bind, allow connections from etc. not only as dotted IPs but also as DNS names. If you check the appropriate checkbox in options, the names will be requeried once a minute so that HTTHost automatically rebinds to the new IPs if they do change. This is done for home users with dynamic IP providers, their feedback has been heard. Please make sure you know what a DNS spoofing is when you enter a re-readable DNS name in "Allow connections from" field.
Limit:
+ 64 instead of 8 connections. See eula.txt for what this software may be used for.
x Status:
HTTHost is a giftware now. See the appropriate tab.
Thanks !
Up
WinMX woes (24-Jul-02) by Targeted
File sharing apps using HTTPort.
The FAQ says that you can use WinMX as the app of a choice. The only reason for that would be that it was the first (and the only so far) that I found to support SOCKS4. And it _does_ work with HTTPort (trust me ! trust me ! :) Just note that you can use ANY that supports SOCKS4.
Now, it appears to be that users tend to have problems with it. Ex. this message from TheDude here: http://www.htthost.com/ultraboard/UltraBoard.pl?action=Read&BID=3&TID=530&SID=23643
Let's take this as a case study.
First, whoever is asking questions about HTTPort, PLEASE, read FAQ question #2 and provide ALL the info.
Second, as I GUESS, TheDude uses public HTTHost server, which is heavily loaded and very slow (see another article), whereas I used one of the privileged servers (for registered users). Note that you should register or use a (free) personal server of your own if you want speed. The public server is your last chance and would normally be used for mail and instant messengers (i.e. few small packets). Bulk transfers through public host are out of question.
Third, the tests. Upon this article I tried both actually. It still does work fine with the privileged server. The speed is questionable, but it's always that way (please see another article), especially with p2p where it's difficult to estimate the other side's caps. It doesn't quite work with the public server. Like TheDude said, it connects and searches, but downloads time out. Actually, I have seen "connected, negotiating" message a couple of times, so it's not hopeless, but no downloads still. Note that even if they started, with the public server the speed would have been in range of 10bytes/sec, uhm, MP3s anyone ?
Finally, the results. How comes it doesn't work with public server ? I can't tell 100%, but here is what I think:
1. Public server is SLOW. Not only the traffic is shared among 100s of users, the timeouts are also large (3:6:9 for those who care). This means that typical send/recv takes about 10 sec. I would guess that such timeouts are too big to break internal logic of WinMX. Ex. - they thought the connection would be fast (man, who would ever imagine file sharing over a line with 10 sec latency ???)
Btw, the tests show different WinMX behaviour - ex. with slow server it does not even try to connect to HTTPort (so, when you see "waiting for network reply" it waits, but I don't know who is it waiting for and it certainly is not a connection to a file-providing-peer).
2. Public server has almost all the ports below 1024 blocked (as described here: http://www.htthost.com/service_limitations.htm). I do NOT think it's a problem for file sharing on ports like 6699, but still, it is another difference in public server from privileged or personal server.
So, please do not expect a lot for a free server. Register or install your own server and be happy.
If you care enough, contact WinMX, ask THEM and if you please, let me know the results.
Thanks.
Up
HTTPort 3.SNF (21-Jun-02) by Targeted
Ok, here goes another letter at the end of the version name. As you might have noticed, it means the significantly new release. On the other hand, the farther from the dot, the less significant the changes are.
So, what's new in HTTPort 3.SNF ?
The main added feature only works in "Remote Host" mode. It is sort of a smarter retry, if the request to HTTHost fails, HTTPort tries harder to still get the response. I have also lowered the retry timeouts so immediately upon a failure there is a burst of retries and hopefully one or another will get the job done.
If your sympthoms include random disconnects and failures within minutes upon HTTPort start, try the new version.
The new version works fine with the proxy I'm behind right now (the previous did not), so I believe it's better in some way.
There is a couple of cosmetic changes as well, like check the user-agent list - it's changed, and the key creation form does not require a mouse any more (there's been some feedback on that).
And as usual with most releases there is one or two minor bugfixes, nothing critical, but something like "oops ! this is gonna fail every once in a while".
Thanks.
Up
HTTPort 3.SN2 (25-Nov-01) by Targeted
New update on HTTPort - 3.SN2.
The only thing that changed is the format of the commands that go between HTTPort and HTTHost. The new HTTHost (1.6.0 and up) supports both formats. The old HTTHost (prior to 1.6.0) does not understand the new format, therefore if you are using personal HTTHost don't forget to download the new version.
I repeat - HTTPort 3.SN2+ will only talk to HTTHost 1.6.0+.
Up
HTTPort 3.SN1 (15-Aug-01) by Targeted
The new service release 3.SN1 fixes a single minor interface bug. It's been there for a long time and I knew about it, so finally decided to fix it.
The bug prevented the configuration (mappings and settings) from being saved when Windows was shutting down and HTTPort was running.
Technically, WM_ENDSESSION message was not handled properly. Now it's fixed I hope.
Up
Building VPN with H software (12-Aug-01) by Targeted
I will describe the way of creating a transparent TCP tunnel inside the firewalled LAN using HTTPort and HTTHost.
Technically speaking, this is not a VPN, it just creates an encrypted TCP connection upon request from outside. Basically, HTTPort to HTTHost link allows all sorts of TCP/IP redirection.
Let's assume we are having a firewalled LAN. PCs inside the LAN have IP addresses from a C-class pool 123.45.67.*, allocated either statically or with DHCP. Firewall allows some ports out and some ports in. In real life most firewalls allows all ports out and very few (if any) in.
What is really crucial, that your particular firewall allows at least one port in AND HTTP protocol is allowed in on that port. If either of these conditions are not met, you may not read further. In real life, firewall may allow incoming connections on port 80 (so that the staff can run web servers inside). This is ideal.
Now, your PC inside the LAN has an IP of 123.45.67.89 and it runs Windows 98+/NT/2000. Download HTTHost personal edition, unzip it and run on this PC. You may run either a GUI version or console version as a system service (if you can figure out how to use srvany).
HTTHost configuration is as follows:
- Bind to IP: 0.0.0.0
- Bind to port: exactly the port which your firewall allows in (80?)
- Client proxy IP: 0.0.0.0
- Bind SOCKS to IP: 123.45.67.89
- Personal password: your_favourite_wine
- Passthrough: off
- Local buffer: max
- Timeouts: min
You are almost done. Now get outside the LAN. Download HTTPort. Run it and configure as follows:
- Proxy you need to bypass: 123.45.67.89
- Port: the one HTTHost listens at
- Authorize: off
- User-Agent: any
- Bypass mode: Remote host
- Use personal host at: 123.45.67.89 (does not really matter)
- Port: the one HTTHost listens at (same note)
- Password: your_favourite_wine
- Run Socks4: check
- Full Socks: check
- Encryption: to taste
You are ready to go. What can you do ? Now your workstation at 123.45.67.89 performs as an outpost. Connection initiated by HTTPort from outside will be tunneled inside the LAN, and firewall will see only (optionally encrypted) HTTP traffic on HTTHost port.
Simple example, the nearby PC at 123.45.67.90 is running IRC server, configured so that it only accepts connections from inside LAN only. In outside HTTPort map local port 6667 to remote host 123.45.67.90 port 6667. Now, outside of LAN, when you point your IRC client to 127.0.0.1:6667 your connection gets tunneled to inside the LAN, and IRC server sees is like if it came from 123.45.67.89.
Another real-life example. Certain web-based resources allow to be administered only when request originates from the company proxy. The company proxy will not serve anyone outside the LAN. Now what I do is in HTTPort outside of LAN I map some local port to the company proxy and surf using 127.0.0.1:that_port. What happens is connection is tunneled inside the LAN and company proxy sees it incoming from HTTHost (which is inside the LAN) and therefore allows it. The web-based resource sees the connection incoming from company proxy and allows administration. But I'm in fact working from outside the LAN, from pretty much anywhere.
This all works like a generic TCP/IP redirector, and you may use any other redirector exactly the same way. The good thing about HTTPort to HTTHost link is that it uses HTTP protocol as transport which is normally considered by firewalls as "safe".
Three notes:
First, your admin will NOT like this. And strictly speaking this is a security violation. So, I'm not encouraging you to do this. Think about it as of a techical feature that works if there is no other way to open firewall ports. I'd recommend that you keep your network admin informed about all you do. And it's your decision and your responsibility.
Second, anybody can run HTTPort outside and connect to HTTHost that you just run. What about the security ? Two things can save you - one, it's your_favourite_wine (i.e. password that you have chosen in both HTTHost and HTTPort), two, it's "Client proxy IP" setting in HTTHost. Passwords is (as always) subject to guess. So, keep passwords good. You don't have to enter it more than once, so why not making it hu#84hEudh26dgE or alike ? "Client proxy IP" setting in HTTHost is even better if you can figure out what it means and what to set there :) I will not describe it here. It's described in the readme.txt for HTTHost.
Third, you might have a firewall with NAT. In this case internal LAN addresses become something like 192.168.x.x and obviously there will be no way to connect to it from outside. You can configure your NAT to redirect some external port (ex. 80) to one of the internal PCs. If there is such a redirection, connection made from outside to NAT:80 will be redirected to 192.168.A.B:80. If it is so, you still can create a VPN as decribed above, making slight changes in config:
In HTTPort:
Proxy to bypass: NAT external address
Port: redirected port
Use personal host at: 192.168.A.B (does not really matter)
In HTTHost:
Bind SOCKS to IP: 192.168.A.B
That's it. Enjoy.
Up
SLOW ? DISCONNECTS ? WHY ? (25-Apr-01) by Targeted
I'm being asked the same questions again and again, so I thought I would just summarize it here as a small article.
------------------------------------------------
1. Why HTTPort is so slow ?
HTTPort is NOT slow. What is slow, is the client-server tunneling (aka "Remote host" mode) in VERY heavy load conditions. Now, why is it slow ?
Two reasons.
-----------
First, you must understand how you calculate the speed.
If you are downloading a 10M file from the web, and your throughput is 100 bytes/sec, this IS slow. Data stream is supposed to run faster than that. And it IS running faster. And this is exactly the case I was talking about when saying in the FAQ "Your limit is 22 KBytes/sec." I meant STREAMING DATA.
But if you are sending an e-mail, what's being sent is actually 10 pieces of data, 20 bytes each. Let's say HTTPort sends 20 bytes, then waits 1/10 sec., and then receives 20 bytes. How would you calculate the speed in this case ? You've just sent and received total of 40 bytes over a 1/10 sec. period. Put plain it's just 400 bytes sec, but really, is it slow ? No, not at all. It's just how the mail protocol works.
-----------
Second, you must understand the way your data has to go.
Let's say you are surfing through HTTPort mapped remote server, and HTTPort uses "Remote host" bypass mode. Every request that your local browser issues, travels like this: Browser -> HTTPort -> Local Proxy -> HTTHost -> Remote Proxy -> Some Web Site. It's a HUGE overhead already. There is a lot of links in this chain.
The slowest link is HTTHost. Why ? Because it's a free public server. It runs on a fast dedicated line, on the fast hardware, and my software (HTTHost itself) is good, I'm proud of it, but you are not alone. There are hundreds of users with their browsers trying to push their data through the same pipe. What would you expect ? 1.5 MBit/sec. ? Of course not.
-----------
What can you do to make it faster ?
1. Use SSL/Connect mode in your HTTPort. This is your best bet. Unfortunately it's not always supported by proxies, and if it is not supported, there is nothing you can do about it, if only you don't hang out with the your proxy admin over a beer.
2. Install your own HTTHost. Requires that you have dedicated hardware with permanent Internet on outside of your proxy. This usually applies to western world, where cable modems and DSLs are common. Personal HTTHost WILL BE faster, because you can set it to lower timeouts, and the link is all yours.
3. Register, pay and use one of the payed HTTHosts available. Requires that you have a credit card and want to pay. Don't blame me for that. I don't own a clearing house, so I can't implement any other payment schemes other than provided by PayPal or other similar pals. And if you thought the fast dedicated network connection is free, think again. Connection WILL BE faster for registered users for the same reasons as in 2.
------------------------------------------------
2. Why something does not work as good as it should ?
For instance, MSN gets disconnected all the time, IRC disconnects sometimes etc.
First, I would like to point out - HTTPort is nothing but a tunnel, and it works. It transfers data.
All bad thing usually occur in the "Remote host" mode as well. The reason is simple - your connections are tunneled through the same server with those of other 100s of users. Now walk in IRC server's shoes - what would you see ? You would see that there is a computer out there (the server running public HTTHost), which has 100s of users trying to connect to you. Who would you like best ? Alice or Bob ? Or may be Charlie ? You just can't allow all of them use you at the same time.
Technically speaking, when you are tunneling a connection, HTTHost IS YOU. Your identity is moved to another place. Good - it's anonimity itself. Bad - you are not alone (again).
Some protocols, like MSN may use IP address as a unique attribute of a user. Others like IRC, may limit the number of users that is allowed to log in from a single IP address.
Let you be IRC server again. You allow as many as 2 users to log in from the same IP address. Alice logs in via HTTPort. OK. Bob logs in via HTTPort. OK. Charlie logs in via HTTPort. What do you do ? Disconnect Alice ? Deny Charlie ? It's up to you to decide, but somebody out there WILL BE unhappy.
-----------
What can you do to ease this pain ?
Exactly the same three things as above.
Up
HTTPort 3.SN (28-Mar-01) by Targeted
The new version of HTTPort is released. The new version features:
----------------------------------
1. NTLM and other authentication schemes support.
HTTPort can now bypass a proxy which has a domain/username/password authentication AKA NTLM authentication. Any other authentication scheme which is supported by Windows (Internet Explorer) should be handled by HTTPort.
This is how it works:
You specify in HTTPort that your proxy requires authorization (by checking the Authorize checkbox and entering your username and password in proper fields).
HTTPort attempts to use simplest Basic authentication scheme with proxy. If it fails, HTTPort says, "Ok, I tried." and switches to a different mode of operation, where it fully relies on Internet Explorer engine to make requests. From this point on, HTTPort does not care about any authentication. If Internet Explorer can make it through - great. If not - pity.
Note: NTLM support is only enabled in "Remote host" bypass mode.
----------------------------------
2. Improved protocol.
HTTPort to HTTHost tunnel is now more resistant to temporary proxy faults and glitches.
----------------------------------
3. Privileged user status.
When you register, using [Register] button, get to the registration web page and pay (yes, this feature is NOT free), you are authorized to use one of the "privileged hosts". Privileged hosts are faster for the following reasons:
- They are built with smaller internal timeouts and delays.
- They work on a separate hardware.
- They work on a separate Internet pipes.
- They are shared by few users only, not by hundreds, like public hosts.
----------------------------------
Those of you who use personal edition of HTTHost may want to download the new version 1.5.0. All versions of HTTPort and HTTHost are backwards and forwards compatible, but it's recommended that you use HTTPort 3.SN with HTTHost 1.5.0.
Thank you for using this software and enjoy.
Up
Encryption in HTTPort 3 (23-Mar-01) by Targeted
When you turn encryption on in HTTPort, all data that your applications transfer through HTTPort goes between HTTPort and HTTHost encrypted.
Before two parties can establish an encrypted channel, they both must know the same secret key. This key is used for encryption on one end and decryption on the other end and vice versa.
Since you just created your own random key, nobody may have known it beforehand, so there must be a way of transferring it to the HTTHost server, before it can decrypt your traffic.
The process of transferring key that one party knows to the other party is called key exchange or key negotiation. Different algorithms are used in transferred data encryption and in key negotiation.
HTTPort uses Blowfish for bulk data encryption and RSA during key exchange or negotiation.
The public domain DCPCrypt library (c) David Barton is used for Blowfish and RMD-160. Own implementation of RSA is used.
For more info on Blowfish, visit http://www.counterpane.com/blowfish and for RSA go to http://www.rsasecurity.com/
-----------------------------------
This is how it works:
You create your random Blowfish key:
1. You draw something on the pad.
2. This pad is actually a bit array. HTTPort calculates RMD-160 hash function of that array.
3. This hash data is a seed for a random number generator. HTTPort uses XORed outputs of regular C rand() and Mersenne Twister generator. rand() takes another 32 bits of seed (current time). I'm aware that these 32 bits are not random at all, so saying 192 bit is a little hype, you may think of just 160 bits.
4. 24 random bytes are generated and this becomes your key, denoted as Bk.
Key negotiation:
(Me, Md) is the master RSA key. Em and Dm is Master RSA encryption and decryption respectively.
(He, Hd) is a HTTHost RSA key. Eh and Dh is HTTHost RSA encryption and decryption respectively.
H is a hash function (derived from RMD-160).
1. All HTTPorts go with Md. All HTTHosts go with Hd and precalculated Em(He).
2. HTTPort sends H(Bk) to HTTHost.
3. HTTHost checks its key cache to see if the key with that hash is already known. If it is, go to 10.
4. If not, HTTHost responds with Em(He).
5. HTTPort calculates Dm(Em(He)) = He using Md.
6. HTTPort calculates Eh(Bk) using He and sends it to HTTHost.
7. HTTHost calculates Dh(Eh(Bk)) = Bk using Hd.
8. HTTHost responds with H(Bk).
9. HTTPort checks the hash to match. If it matches, both sides have the key.
10. Bk is used for generating a Blowfish key schedule.
11. From that point, every request that goes from HTTPort to HTTHost has an additional parameter H(Bk). Both HTTPort and HTTHost know the key schedule for key with that hash, and they both encrypt to that key schedule using Blowfish in CBC mode with zero IV.
This is a very simplistic approach, it can only thwart a rather chaotic and resource limited atacker. The main purpose of the described encryption is to prevent proxy admins from recovering the plaintext data being transferred by examining the proxy logs. This task is solved all right, unless they are really up to it, with 2^128 calculations and such.
On the other hand, it won't save you from other problems, for instance, it has no tampering protection (checksum, hash or anything) and it falls to the replay attack and other because the key does not ever change (unless you manually generate another one afresh).
This is not to mention that if you are using personal edition of HTTHost and didn't order your own RSA key on the site, you are using the same RSA key pair as the rest of the world does. This RSA key pair is used as an armoured transport during randomly generated key transfer to the HTTHost server. Now, if the attacker manages to intercept those few HTTP requests that carry the (RSA encrypted) Blowfish key, she could easily recover the key by knowing the RSA key. But if these first requests went unnoticed, the key has been delivered safely and RSA key knowledge makes no good at all as it's not used any more.
Be careful. HTTPort does encrypt the data, but see for yourself whether this is good enough for you.
Up
HTTPort 3.S1 (08-Feb-01) by Targeted
The service release 3.S1 is available for downloading. Major "FTP upload through SOCKS" bug is fixed. Minor interface bug is fixed.
Up
HTTPort 3 and FTP problems (08-Feb-01) by Targeted
Since version 3.S it's possible to use local FTP clients through HTTPort. The suggested way of doing this is pointing the FTP client to 127.0.0.1:1080 as a SOCKS4 server.
There has been recently reported a problem, which turned out to be a bug in HTTPort code. When uploading files with FTP via HTTPort, the uploaded files have invalid length or just do not appear where they are supposed to appear.
This bug is fixed in version 3.S1 (service release 1). So everyone is invited to download the updated version.
-----------------
Yet upon closer look I've found another problem with FTP, and this is not an HTTPort problem, but rather FTP clients feature aka bug. Well, it's not a bug, it's rather an inconsistent behaviour.
This problem arises in "Remote host" mode only.
-----------------
Here is the technical description of the problem:
FTP deals with (at least) two channels (links) being opened between client and server.
The main (control) link to the FTP server is used for sending commands.
Additional links are being opened whenever necessary for downloading or uploading files.
Most of the feature-rich FTP clients allow you to turn on "Keep-alives" on control link. Keep-alive is just a periodic "ping", sent through connection with no other reason but to prevent the connection from being closed as idle.
Now let's say we have an open control FTP link through HTTPort and HTTHost (remote host mode only !). If nothing's going on, keep-alives are being sent and everything's ok.
Now we start uploading a big file. Another link is being opened and data transfer starts.
The problem is - CuteFTP stops sending keep-alives through the control link when there is a data transfer through a data link.
From HTTHost (remote host) point of view, there are two tunneled links. One has been sending keep-alives but just recently it stopped doing this. The other is active and some data is transferred through it.
There is no way the HTTHost can associate these two together, so the first link is considered idle and is closed upon timeout expiration.
CuteFTP sees control link being terminated and closes everything, terminating data transfer in progress.
Luckily this only happens with uploading, because CuteFTP uses the control link itself for downloading files. This means that the connection is not idle, it transfers data and HTTHost does not close it.
So, unless your FTP client properly keeps alive all its connections, you can only upload a file small enough to be uploaded before HTTHost timeout expires.
There is no obvious way around this problem.
Up
HTTPort version 3.S (29-Jan-01) by Targeted
Ok, the new version of HTTPort is here after all. I still have a couple of ideas on how to improve this software, but at it's current state it's just good to go.
Here is what you might want to know about the new version of HTTPort:
---------------------------------------------
1. It now has a built-in SOCKS4 server. This means that whatever local software you have that may be connected through SOCKS4 proxy, may be connected directly through HTTPort. And among others this includes ICQ and FTP. Good news, I believe.
SOCKS support makes HTTPort superior to SOCKS2HTTP application, because S2H only has SOCKS support, and it does not have HTTPort's original port mapping concept (well, it didn't when I tried it last time).
I wouldn't go for SOCKS5 support, mainly because the only difference is that SOCKS5 defines methods for tunneling UDP, whereas HTTPort is incapable of working with UDP at all. So there is no point of pretending somebody is capable of SOCKS5 when in fact it's SOCKS4.
---------------------------------------------
2. It has strong traffic encryption. Well, I like this feature too. In prior version (2.2) when you use "Remote Host" mode (i.e. have your data transferred through remote HTTHost server), your data and destination routes are logged in your proxy logs, and administrator can decode it and see what you are actually doing.
With the new version, when you turn encryption on, all traffic that goes between HTTHost and HTTPort, including the data and host addresses is encrypted using strong cryptographic algorithms. RSA 1024 bit is used for key exchange, Blowfish 192 bit is used for actual encryption. I wouldn't say it's theoretically impossible to break this, but for the time being it's fine.
And yes, I repeat it one more time - strong crypto is illegal and/or controlled in certain countries. Be aware that using "strong encryption" feature will break the law there. Nevertheless since you don't turn this feature on, I'd say it's ok to use HTTPort even in those countries. I could be wrong though, mainly because of cryptographic import restrictions. See, even if you don't use it, you are bringing it in (importing) into the country...
---------------------------------------------
3. Now you may download and use your own little HTTHost server. This feature is my favourite :)
HTTPort was designed to be capable of using any public HTTHost available out there. You don't see it, but HTTPort can dynamically select a host from a so-called "known hosts list". This is how it works normally. This is the default behaviour and for most of the users out there it's the only way.
I recommend that you leave personal HTTHost alone unless you know exactly what you are doing.
This is how personal HTTHost works:
You must have the PC with full Internet access outside your proxy at which you can install HTTHost.
Let's say you want to bypass your proxy at work. And at home you have a PC connected to the Internet with cable or DSL. Or you have your friend's server which is also connected, etc.
First you configure and run HTTHost at your PC at home (or, at your friend's etc.). You must know the address of the PC at which the HTTHost is running. Well, since you are thinking about setting up your own server software I hope you know this stuff a little.
Then you set up HTTPort at work to use personal host at that address. From this point all your traffic will go to that personal host only. If you have worried about the security of your data being transferred through public hosts - you may relax now. I just can't help myself being bad - do you know that Internet is an open network ? Anybody can observe your data if it's not encrypted. Now relax if you can :)
Note that access to personal HTTHost is protected with password. Yet, anybody can _try_ to use your HTTHost. And if they succeed (because of password match), they can use _your_ personal host to do just anything - like sending spam or breaking sites - _on_your_behalf_. Therefore be cautious and remember - it's only your responsibility.
Well, that's all what I wanted to say.
Thank you for reading this and enjoy this software.
Up
To post a message, register first.
0 Comments:
Post a Comment
<< Home