Project

General

Profile

Security of Socks proxy component

praveen raj
Added over 4 years ago

Hi,

I am planning to develop a file storage utility using XMPP as the file transfer medium.

However I noticed that it is not possible to embed binary data into XML and BASE64 encoding increases the file size by roughly 33%.

I was planning to try using SOCKS5 proxy as a relay for data transfer.

With regard to the same I have some questions:

  1. Is SOCKS5 proxy a reliable mechanism for communication?

When a hacker finds out the address and port number of the proxy, what prevents him from being able to transfer files across the proxy?

Should a custom authentication handler be implemented on top of the framework ? Any suggestion here is useful.

  1. Is it possible to embed binary data into XML?

  2. I have seen a project similar to Dropbox by the Tigase team but it still looks under development. What are some useful tips which can be used to solve a similar problem

from an XMPP perspective?

Regards,

Praveen


Replies (2)

Avatar?id=6023&size=32x32

Added by Artur Hefczyc TigaseTeam over 4 years ago

praveen raj wrote:

Hi,

I am planning to develop a file storage utility using XMPP as the file transfer medium.

However I noticed that it is not possible to embed binary data into XML and BASE64 encoding increases the file size by roughly 33%.

I was planning to try using SOCKS5 proxy as a relay for data transfer.

With regard to the same I have some questions:

  1. Is SOCKS5 proxy a reliable mechanism for communication?

For communication? It is reliable mechanism for binary data transfer, yes.

When a hacker finds out the address and port number of the proxy, what prevents him from being able to transfer files across the proxy?

Andrzej can provide you more details but I think it is not that easy for the hacker to abuse the service. There is a number of limits you can put on the data transfer on the proxy.

Please take a look at the wiki page: https://projects.tigase.org/projects/socks5/wiki/Installation

Most likely the user has to be authenticated/have XMPP account on the Tigase server to transfer data but I am not sure about it. Andrzej should be able to clarify and give

you suggestions how to best protect your Socks5 proxy installation.

Should a custom authentication handler be implemented on top of the framework ? Any suggestion here is useful.

Andrzej will answer this.

  1. Is it possible to embed binary data into XML?

As Base64 only.

  1. I have seen a project similar to Dropbox by the Tigase team but it still looks under development. What are some useful tips which can be used to solve a similar problem

from an XMPP perspective?

No tips I am afraid. Be prepared for some development work on the server as the out of the box XMPP server does not fulfill all the requirements.

Added by Andrzej Wójcik IoT 1 CloudTigaseTeam over 4 years ago

Artur Hefczyc wrote:

When a hacker finds out the address and port number of the proxy, what prevents him from being able to transfer files across the proxy?

Andrzej can provide you more details but I think it is not that easy for the hacker to abuse the service. There is a number of limits you can put on the data transfer on the proxy.

Please take a look at the wiki page: https://projects.tigase.org/projects/socks5/wiki/Installation

Most likely the user has to be authenticated/have XMPP account on the Tigase server to transfer data but I am not sure about it. Andrzej should be able to clarify and give

you suggestions how to best protect your Socks5 proxy installation.

To be able to transfer files across proxy you need valid key generate from transfer sid and jid of serder and jid of receiver as specified in XEP-0065 and connection needs to be activated using XMPP stanza as described in XEP-0065.

Also if you configure Socks5 proxy component to use LimitsVerifier it will check if at least one of clients (sender or receiver) is using domain which is hosted on your server.

Should a custom authentication handler be implemented on top of the framework ? Any suggestion here is useful.

Andrzej will answer this.

Authentication is done using hash generation as described in XEP-0065

    (1-2/2)