AutoProxy

Sorry for pushing Chinese content to English channel, this is an urgent warning for people in mainland China. Click this & this to see what happened. ------------------------- 各位，虽然此事与 AutoProxy 无关，但它对所有（也包括 ... [More] AutoProxy）用户都是一个非常严重的安全威胁。我，WCM，AutoProxy 作者，以个人名誉强烈建议您认真阅读并采取措施。   背景知识 网上传输的任何信息都有可能被恶意截获。尽管如此，我们仍然在网上保存着很多重要的资料，比如私人邮件、银行交易。这是因为，有一个叫着 SSL/TLS/HTTPS 的东西在保障我们的信息安全，它将我们和网站服务器的通信加密起来。 如果网站觉得它的用户资料很敏感，打算使用 SSL/TLS/HTTPS 加密，必须先向有 CA (Certificate Authority) 权限的公司/组织申请一个证书。有 CA 权限的公司/组织都是经过全球审核，值得信赖的。   发生了什么事 最近，CNNIC——对，就是那个臭名昭著的利用系统漏洞发布流氓软件的、就是那个使劲忽悠 CN 域名又突然停止域名解析的 CNNIC (中国互联网络信息中心)，它——偷偷地获得了 CA 权限！在所有中文用户被隐瞒的情况下！   意味着什么 意味着 CNNIC 可以随意造一个假的证书给任何网站，替换网站真正的证书，从而盗取我们的任何资料！ 这就是传说中的 SSL MITM 攻击。以前这个攻击不重要是因为攻击的证书是假的，浏览器会告诉我们真相；现在，因为 CNNIC 有了 CA 权限，浏览器对它的证书完全信任，不会给我们任何警告，即使是造假的证书！ 你信任 CNNIC (中国互联网络信息中心) 吗？你相信它有了权限，会安守本分，不会偷偷地干坏事吗？ 我对此有3个疑问： 某 party 对 GMail 兴趣浓厚，GFW 苦练 SSL 内功多年，无大进展。如今有了 CA，若 GFW 令下，CNNIC 敢不从否？ CNNIC 当年利用所谓官方头衔，制流氓软件祸害网民。如今有了 CA，如何相信它不会故伎重演？ 为了得到指定网站的合法证书，其它流氓公司抛出钱权交易，面对诱惑，CNNIC 是否有足够的职业操守？   影响范围 基本上所有浏览器的所有用户均受影响！   行动第一步：立即安全防御 在此只介绍 Firefox 浏览器的防御方法，其它浏览器的用户请自行 Google，原理类似。 菜单栏：工具/编辑->首选项->高级->加密->查看证书->证书机构(Authorites) 这是一个很长的列表，按照字母顺序，你应该能找到一个叫着 "CNNIC ROOT" 的记录，就是这个东西，告诉 Firefox，我们不信任它！ 选中 CNNIC ROOT，点击下面的“编辑”按钮，弹出一个框，应该有3个选项，把所有选项的勾都去掉！保存。 还没有完，狡兔有三窟。 接着往下找，有一个叫着 Entrust.net 的组，这个组里应该有一个 "CNNIC SSL" (如果没有，访问一下 这个网站 就有了) 别急着下手，这回情况不一样，这个证书是 Entrust 签名的。我们信任 Entrust，Entrust 说它信任 CNNIC，所以我们就被迫信任 CNNIC SSL 了。找到 "Entrust.net Secure Server Certification Authority" 这一条，同上面一样，把3个选项的勾都去掉，保存（提示：取消了对 Entrust 的信任以后，可能会没法打开它签名的某些正常网站。至于哪个网站用了它的签名，随便试了一下，没找到例子）。 最后，让我们验证一下。重启 Firefox，打开 这个 和 这个 网站，如果Firefox 对这两个网站都给出了安全警告，而非正常浏览，恭喜，您已经摆脱了 CNNIC CA 的安全威胁！   行动第二步：指标还需治本 几天前听到这个消息的时候，我简单地、轻蔑地将 CNNIC 删除了事。可是这个周末，我忽然觉得这样很不好。因为只要它存在，始终会有大部分的用户受到威胁。和写 AutoProxy 时同样的想法：如果大部分人都处于安全威胁当中，一个人苟且偷安又有什么意义？如果不能将自由与安全的门槛降低一点点，所谓的技术又有什么好侥幸的？ 所以我呼吁大家，贡献一点时间和知识，团结起来说服各浏览器取消 CNNIC 的 CA 权限。这种事不可能有公司来推动，只有我们社区。 首先推荐的是 Firefox，作为一个公益组织 Mozilla 的决策过程更为开放、更愿意听取社区的声音。Bug 476766 记录了事件的全过程。Bug 542689 和 Mozilla.dev.security.policy 进行着现在的讨论（注意，你可以把自己添加到 Bugzilla 的 CC List 以表达你对此事的关切。但是不要随便说一些不靠谱的话，免遭讨厌。强调政治、GFW 的之类的不管用，必须就事论事。比如它在申请过程中采取欺骗、隐瞒的手段，或者申请成功后的某些行为违反了 Mozilla 的 CA 政策；比如它的属性和过往行为表明它不会忠于自己的职责，而(帮助)做出 MITM 这种 CA 共愤的事情）。 其次是 Entrust，它说它信任，导致了我们也被迫信任 CNNIC SSL。不妨 告诉 Entrust 此事很严重，因为它错误地信任了 CNNIC，大量用户不得不删除它的 CA。如果能找到使用 Entrust 证书的网站更好。给这些网站写信，因为此次事件我们不得不删除了 Entrust 的 CA，请求他们另选别家认证。如果反响强烈，势必给 Entrust 造成很大压力。 除此之外，来投个票吧（结果统计）！ 最后，强烈建议大家，发现证书警告的时候最好直接关掉，不要轻易添加例外。证书的信任体系是一级依赖一级的，一不小心你可能就会连带信任一个不想信任的 CA。上面用于验证的两个网站，不妨定期（每周/每月）测一测，如果哪天你发现其中的任何一个网站没有证书警告，就要注意了！ [Less]

On 21st this month, AutoProxy has been marked as public by AMO, which means: we don't need to click a check box before installing AutoProxy; updates will be provided through the update check service, manual update is no longer necessary. Thanks the ... [More] AMO editor: Andrew Williamson! Note: If you were just upgraded from version 0.2.x, your default proxy setting will be reset to Tor. If you are not using Tor, please go to AutoProxy preference and choose another proxy. Sorry for inconvenient. :-) [Less]

Hi, We first have our official website located at www.autoproxy.org, later a new website is available at autoproxy.org. Today I halted the old website, www.autoproxy.org now redirects to autoproxy.org. All old contents have been moved to this new site, if you find something missing please leave a comment. Thank you :-)

As mentioned in last post, though I'm not going to port AutoProxy to Google Chrome, some achievements of AutoProxy such as gfwList can be reused by other projects. I'd like to introduce how to use AutoProxy gfwList PAC under Chrome + Switchy. This ... [More] introduction is for Windows XP users, Windows Vista & Windows 7 should be more or less the same. It seems Switchy doesn't work properly for non-Windows systems. 1. I suppose you have installed the latest Chrome beta and Switchy. 2. Go to our AutoProxy 2 PAC project homepage, download the suitable PAC file according to which proxy server you are using. 3. Set your Switchy to "Auto Switch Mode", and close your Chrome. 4. Go to some folder looks like "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\caehdcpeofiiigpdhbabniblemipncjj\1.4.2.1\plugins". There should be some files name begin with "npSwitchy". 5. Copy gfwList PAC file to this folder, and rename it to "npSwitchy.auto.pac" (if there is already one, delete it first). 6. Right click the new npSwitchy.auto.pac file, choose "property" and then check the "read only" checkbox, save. 7. Open Chrome and enjoy: Chrome + Switchy + AutoProxy gfwList PAC !   Note: 1. gfwList is only for people in mainland China, please don't use it if you are not there. 2. Some websites such as Twitter, Youtube, Facebook will still be not available under socks proxy, since the "dns via socks" feature is not available in current version of Chrome (follow this issue). If you are using Tor or ssh, you might also need Privoxy.   In the end, please remember that we have a gfwList report bookmarklet. You are welcome to report any problems with our PAC file, we can do better with your help, thank you! [Less]

Many users asked me to port AutoProxy to Google Chrome, I really appreciate that you like AutoProxy. However, I apologize, AutoProxy will stick to Firefox (at least in recent months). Here is why: Partly because Chrome is not prepared: Chrome ... [More] doesn't have proxy policy of it's own, lack of fundamental function, thus it's hard or even impossible to implement some features AutoProxy did & will do for Firefox. To develop a proxy management extension for Chrome, we have to use NPAPI which is not designed for such usage. Source code of NPAPI will be complied to binary package, users never know what's inside. All proxy settings have to be finally translated to PAC. Extensions can't add any useful features or do performance enhancement to PAC. If PAC is acceptable, AutoProxy gfwList already has a PAC porting. Partly because of me: Except AutoProxy, there are also many other extensions / features I like in Firefox, I won't use Chrome for my daily browsing. I became a gfans many years ago, thus I used too many services from Google. I don't want Google to become Skynet, since Chrome is not as irresistible as Google search/GMail..., I'd like to avoid it. I don't have too much spare time. I prefer to dedicate my limited time to AutoProxy for Firefox, make it as perfect as possible.   Nevertheless, the achievement of AutoProxy (such as gfwList) is free for the community. If anyone who develops extension for Chome needs help from AutoProxy project, please feel free to ask. There is already a proxy management extension for Chrome named Switchy!, I hope it'll be better and better. In the end, I used to open Firefox and never close it before shutdown, the start-up time doesn't matter for me. Firefox is becoming faster and faster. You guys can try Firefox 3.6 or 3.7. There are also some tricks can improve Firefox's performance. [Less]

Hi community, I keep in mind that our official website should be as free as possible, for example people can leave comments anonymously. However, this feature became the cat's paw of spam, there are over 50,000 spams arrived in about two weeks. To ... [More] deal with this problem, I have: * deleted all spams: I'm sorry if I deleted your comments by mistake. * enabled an anti-spam module: may ask you to type a captcha, sorry for inconvenient. ^_^ [Less]

gfwList Report Bookmarklet. Drag this link to your toolbar / bookmark. Then you can report newly blocked websites to gfwList by one click. Hint (only for Firefox): after dragging that link to your toolbar / bookmark, right click it, choose ... [More] "property", and then type one or more characters in the "keyword" column ("g" for example). From now on, if you want to report a newly blocked website, you don't even need to find this Bookmarklet, just: Ctrl + L (don't press Shift key) g (the same character you typed in "keyword" column just now) Enter [Less]

The support for old version (0.2.x) of AutoProxy has been dropped. Everybody please upgrade to the latest version. Please help to spread this change, please encourage all your friends to upgrade. There are still a lot of people using the old version ... [More] of AutoProxy which is no longer supported. Important to gfwList subscribers: gfwList is optimized for the latest AutoProxy, you may have kinds of strange problems if you keep using old version. [Less]

Everybody can contribute to gfwList. gfwList subscribers are welcomed to click tr.im/gfwList to submit your AutoProxy rules to help gfwList become better. :-)

Everybody can contribute to gfwList. gfwList subscribers are welcomed to click tr.im/gfwList to submit your AutoProxy rules to help gfwList become better. :-)