Access Blocked Sites

From Wired How-To Wiki

Illustration by Lab Partners

If your employer nixes non-work-related sites like Gmail, YouTube, and Facebook, you could try bypassing the blocks with a public proxy -- but those are typically blacklisted, too.

This article is a wiki. Got extra advice? Log in and add it.

Here's how to forge your own detour:

Download the PHProxy program from Sourceforge.net.

Unzip the file and upload the entire folder's contents to a Web host that can run PHP scripts (GoDaddy and Dreamhost offer plans for less than $10 a month).

Enter the host URL into your browser. When the proxy page pops up, type your actual destination into the blank address bar.

You're now free -- and free to poke away.

Contributed by Mathew Honan

Use an SSH Server on port 443

Your corporate proxy knows nothing about what goes on over SSL/HTTPS connections. They simply allow any TCP connection to port 443 of any IP not blacklisted. So you run an SSH server on port 443 and connect to that to tunnel all your real connections.

If you are using your home internet connection for this, simply go into your router and port forward 443 to port 22 (the normal SSH port) of your computer. If you have a Mac, turn on remote administrator access in "sharing" and you'll be good to go. Or use a dedicated server you may have hired at a colo; Linux firewall rules can forward port 443 to 22 also. If someone knows how to run an SSH server on Windows, please add it here.

On your work computer, find out the IP address of the proxy. You'll likely find this in the connection settings for IE. You may have to download the "PAC" file it references to work out the rules.

Download PuTTY. In "Connection", add the proxy you just discovered as HTTP proxy. The proxy may require your username and password, usually in "domain\user" form. Then in "Connection>SSH>Tunnels" enter 8181 for source port, leave destination empty and select the "Dynamic" radio button and click add. Go back to "Session" and save this session.

Now try and open this session and see if you are in luck. If you are, you log into your server and the tunnel will be active.

Now all you need to do is change your browser to use "localhost:8181" as SOCKS proxy. Stuck on a locked down IE? FireFox installs just fine in your "Documents and Settings" folder without the need to admin rights on your computer.

If the connection failed, it could be that your company use Microsoft's proxy and it requires NTLM authentication, which PuTTY doesn't provide. In that case, download "ntlmaps" which sits between PuTTY and the proxy and takes care of the NTLM authentication.

This is not a step by step guide because the details will be slightly different for everyone. Work it out and prove you are a geek!

Yes, it's a lot of work but I have never not been able to escape the confines of any company, nor has any network security group detected this was happening. YMMV!

Disclaimer

When executing this work around you are essentially creating a back door into the company's network that is bypassing your companies content policies. For those of you that feel comfortable doing that, have at--but be aware of following sage advice.

If you work for a company that has industry regulated security compliance standards, like PCI, or the company has its own security polices, you could be putting your job/career at risk using this technique. Employees at a variety of corporate venues both large and small have been terminated for even a single breach of corporate content policies. You may even be violating the law, particularly if you work in the Banking or Defense industry. Read your company's employee handbook, particularly those sections related to IT policies, before pursuing any of the above work around.

Many companies log internet activity, and some have HTTPS inspection. This means that your HTTPS (TCP 443) data is decrypted, inspected, logged and re-encrypted by a firewall. Inspection of decrypted port 443 traffic, typically blocks non-http traffic (e.g. SSH over port 443) this renders such an attempt to bypass your companies security, invalid. You can detect SSL inspection by browsing to a site you trust and checking what certicate authority issued the certificate, then viewing the same site at home. Some Cisco firewall, Forefront TMG, and ISA (with addition of addons) offer this feature to your IT department.

Even if its legal, even you found some loophole in the employee handbook, even if you don't get caught by the company IT department, or they are simply "asleep at the switch", and even you restrict your web surfing to lunch time and breaks, you'll prove you are a geek all right--and the loser who does nothing all day but look at Facebook/EBay/etc. to any co-worker that happens to walk by your computer the moment you browsing to a site they know you to which you aren't suppose to have access.

You would be well advised to just surf from home and keep your job, or get cell phone or other wireless device that has web-browsing capabilities and head down to the local coffee shop to find out if your grape harvest is ready in FarmVille.

Contributed by Adam Haskin