10:23 AM
Connect Directly

Top 3 Tools For Busting Through Firewalls

Can't access a Web site thanks to employer or government censorship? Fortunately, there's a host of tools and techniques that can help you slip through the blockade. Here's an in-depth look at three of the best.

Strategic Security Survey: Global Threat, Local Pain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full slideshow)

Installing Circumventor requires that you set up three different components in succession -- a copy of Perl (the language used for Circumventor's core scripts), the OpenSA Web server, and the Circumventor scripts themselves. The default Circumventor distribution is designed to be installed on Windows machines, but the core scripts can be run under Linux; they just have to be set up by hand.

Another way to make use of Circumventor without actually installing it is to use the StupidCensorship.com site. From there, a user can sign up for a mailing list that provides updates on public Circumventor sites, which change constantly. Since it's entirely likely that those who are in charge of managing block lists are themselves subscribed to the mailing list, users have to stay vigilant and try different proxies as they are added. The same site also works as a proxy itself, provided it's not blocked, and runs both PHProxy and Glype.

One point of concern about Circumventor: the software at the core of the project, CGIProxy, has not been updated since December 2008.


The Glype proxy has been created in the same spirit as Circumventor. It's installed on an unblocked computer, which the user then accesses to retrieve Web pages that are normally blocked. It's different from Circumventor in that it needs to be installed on a Web server running PHP, not just any old PC with Internet access. To that end, it's best for situations where a Web server is handy or the user knows how to set one up manually.

Setting up Glype itself is easy, though -- the admin unpacks the files into a folder on a Web server that supports PHP, and the rest is almost entirely self-configuring.

There are two basic ways to use Glype: as-is with minimal options, or with a configuration panel installed that lets you control a great many under-the-hood settings. The as-is version only lets you change a couple of basic options, such as whether or not to load cookies or embedded objects (e.g., Flash), or if the target URL or fetched pages should be encoded to avoid being intercepted by other filters. Most static Web pages -- e.g., Wikipedia, text-only news sites -- work fine without tinkering. If only one person is using Glype, this basic version should more than do the job.

The expanded options, though, typically come into play when setting up a Glype instance that's being used by others. Add the control panel -- which involves nothing more than uploading a few more pages to the Glype site -- and an admin can set policies on a great many things. The Glype instance can perform activity logging, local caching of retrieved Web pages, enforce load-limiting measures, add a footer to any retrieved document, block specific IP addresses, prevent direct hotlinking to proxied pages, or create unique URLs for each page visited, which increases privacy.

3 of 5
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/14/2014 | 8:06:39 PM
this really worcks yo have helped me get youtube back because my prents are sick of me watching kung fu panda and listening too dubstep
thancks again and do you have any other research sugjestions for hacking my firewall
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in the Euroling SiteSeeker module 3.x before 3.4.5 for EPiServer allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party inf...

Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.

Published: 2014-09-17
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details are obtained from th...

Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index...

Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in Mini Mail Dashboard Widget plugin 1.42 for WordPress allows remote attackers to inject arbitrary web script or HTML via the body of an email.

Best of the Web
Dark Reading Radio