Back in the day, XS4ALL, a Dutch internet provider had exactly this feature. They provided ssh access via port 80. It saved me a couple of time while I was traveling and the only way to get internet access was via hotel WiFi, which blocked everything except port 80. If anybody from XS4ALL is reading this... Thanks!
- different port (443, not 80)
- different protocol used on that port (https, not ssh)
It seems the same to me: using a port that's open for a commonly used protocol, so http (80) in the 90s, https (443) now. Of course the protocol is different, that's the point!
It's not the same at all. OP's port 443 is not 'open' in the same sense that GGP's port 80 was 'open'.
In the old days, only the port number mattered. Today, DPI means the protocol matters as well.
The SSL negotiation part happens before any other communication. Once the encrypted connection is established, how do you analize the protocol?
Edit: I tested that time ago:
https://news.ycombinator.com/item?id=38753897
And to save roundtrips: I believe it must be possible to analyze encrypted traffic to find out which protocol is used. But I doubt that the hospital admins are so motivated or sophisticated.
An SSH server and client do not use SSL/TLS to set up the connection. They use the SSH protocol.
As soon as you connect to an SSH server, the server sends an identification string. The identification string always starts with:
It's trivial to detect.In the old days, corporate firewall rules were based solely on port numbers. So you could connect to an outside SSH server running on port 80, even if port 22 was blocked. Nowadays, an SSH server running on any port (80, 443, or any other) can easily be detected and blocked.
OK, I believe you, but then, does the trick described in the article work?
I ask because if it works, the principle is the same: using a commonly used protocol to circumvent limitations. It used to be easier to do then, it's more involved now.
In other words: is it possible to tunnel anything through https?
No it's not. The earlier method used only a commonly used port, and did not require the use of a commonly used protocol.
The purpose of using the TLS layer is to prevent the DPI.
Dpi has been around for a very long time.
Yes, but I'm specifically talking about a time when many corporate networks weren't yet using DPI.
Many of them still aren’t. Case in point - the firewall from the original post.
OP describes tunneling SSH within another protocol. In the absence of DPI, this wouldn't be required.
I didn't realize they were a full on ISP! I recall using them back in the day as a newsgroup provider.
XS4ALL was amazing and it’s a genuine shame that KPN corporate decided to dissolve the brand. But I guess, KPN wouldn’t have been comfortable with XS4ALL’s hacker ethos anyways…
XS4ALL sort of lives on in the form of Freedom - https://freedom.nl/en
Fellow xs4all user here, it was fantastic, the real spirit of the early internet.
Sort of a redo of the pirate radio ethos of the 60s.
https://en.wikipedia.org/wiki/Pirate_radio_in_Europe