I need to implement secure data transfer from client to server (binary data). I'm looking for the solution that doesn't require clients to configure firewall exceptions.
Obvious choice is HTTPS. Most firewalls allow outgoing HTTPS by default. There're two issues with HTTPS:
I don't want to implement HTTPS (even the simplest possible version) because I don't need its complexity. Simple custom secure binary protocol would be enough.
I'd like to avoid overhead of base64 encoding required for binary data to be put into HTTP POST message (please correct me if I'm wrong). Client runs on weak hardware (embedded system).
Now, my assumptions. Since HTTPS is encrypted (by definition), firewall cannot parse it or check if data is base64 encoded. This means I can use my custom TCP secured protocol using HTTPS port (443) to imitate HTTPS and firewall won't be able to distinguish it from HTTPS. Please confirm or explain what's my mistake.
解决方案
IMO a firewall is not really a good firewall, unless the "default" configuration is to deny everything in/out (for instance, this is what a Juniper SRX and Cisco ASA do by default). The most common firewall configurations typically allow HTTPS through.
As for building your own custom protocol, please for the love of pizza (and your own sanity) use one of the many standardized file transfer protocols that already exist... the choices are wide open, such as ftp, rsync, http (see below), scp, and sftp.
Two things you need to think about...
The first thing you need to worry about is if your clients perform some kind of deep packet inspection to verify that you aren't just tunneling "other stuff" through TCP/443. This isn't common today, but some people do it.
Another point, some people (you may be surprised at how many) get a generic SSL certificate and build a transparent proxy for all http/https. That will mess your plans up; at this point you need https and POST.
894
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
