just to state my intentions from the get-go, all this anonymous proxy business is strictly for my own internet browsing anonymity, not launching anonymous attacks.

i have a number of questions regarding the practice of chaining anonymous proxies to provide for anonymous internet access. i think i'll just list them.

1) i am to understand that SSL cannot work through anonymous proxies, as the certificates must be validated by an external server at each step in a connection and ultimately matched with a given origin IP. is this the case, or am i missing something?

2) increased latency is supposed to be a downside of such chaining of proxies, but are there any other downsides? i can't really see any negatives other than it might seem "suspicious" to big brother or the telcom company if they had a list of such anonymous proxies against which to match my activity.

3) are there any applications for linux that easily facilitate such chaining? word of text seems to dictate that the answer to this is no, but it's available on winblows? based on this, i suspect that it's not that useful to do such a thing, but i could be totally wrong.

that said, i have another, slightly unrelated question about packet filtering and openbsd. i just recently installed openbsd on an older computer i had lying around (pII-350) and i was going to setup the packet filter on it over the next week or so, then use it as a firewall/gateway. is there anything that goes beyond the capabilities of iptables in the packet filter on openbsd? if so, what additional goodies are present? i'd just like to know if i have additional tools at my disposal.

thx for reading,
y-p

just to state my intentions from the get-go, all this anonymous proxy business is strictly for my own internet browsing anonymity, not launching anonymous attacks.
Cool, just because you say so, I believe you :-]

First of all lets make clear usage of proxies is not some black hat art or skill, but it isn't legitimate either: you're using what's not rightfully yours. Most of the proxies (HTTP, wingates etc etc) around are NOT there because the admins don't mind you using their services and eat up their bandwidth. For anyone who succumbs to false reasoning saying it isn't all that bad 'n such, imagine you running a proxy on your network and someone hopping over to rip your bandwidth (or use it as a foothold to examine/access your LAN). Now tell me again it isn't all that bad.


i am to understand that SSL cannot work through anonymous proxies, as the certificates must be validated by an external server at each step in a connection and ultimately matched with a given origin IP. is this the case, or am i missing something?
Some HTTP proxies allow you to use CONNECT (which is what SSL uses) w/o probs, others don't. Be warn for flaws in reasoning why tho to use SSL over anon HTTP proxies, SSL connections should be trustable, running it tru an anon HTTP proxy by nature isn't (wait and I'll contradict this later on, OK).


increased latency is supposed to be a downside of such chaining of proxies, but are there any other downsides?
Anonimity wrt HTTP proxies is really two things: logs and headers.
The headers are what proxy checkers base their verdict of the proxy on, but if the proxy logs your connections you're not truely anonymous. Here's a few rules for HTTP proxy usage:
I. Don't trust proxies
*Never* use a proxy without checking it out yourself. Make sure you stay away from certain ranges (govt monitoring, honeypots, cracker infested boxen). ALWAYS recheck regularly and rotate,
II. Don't trust hosts you connect to
SSL doesnt mean legitimate it's just a HTTP connection method. Example? SSL ads. If I manage to route you to one, and you don't proxy SSL then I'll could have your IP address,
III. Don't use Java or Javascript or plugins
Notorious for the lack of privacy they provide it's an easy way to help determine parts of one's identity,
VI. Do use filtering
Guard against unwanted content/redirs etc etc.


are there any applications for linux that easily facilitate such chaining? word of text seems to dictate that the answer to this is no, (..)?
No, not really, but basic proxy HOWTO texts should show you at examples of how to daisy-chain proxies. Google around for texts and you'll find examples/code for daisy-chaining wingates 'n such tho.


[i]i suspect that it's not that useful to do such a thing
Let's say you get there when you need it then.


that said, i have another, slightly unrelated question (..)
Post in the appropriate forum, thanks. AFAIK Netfilter/Iptables has the same basic functionality Ipfilter has.

thx for the responses unSpawn, but a couple of the things you said are somewhat new to me:

III. Don't use Java or Javascript or plugins
Notorious for the lack of privacy they provide it's an easy way to help determine parts of one's identity,

>> why do java/js plugins make for a privacy issue? how do they, as opposed to other plugins/webpage code, get such information?

VI. Do use filtering
Guard against unwanted content/redirs etc etc.

>> i don't know if i do this already, but is it an option for most browsers? i have firebird 0.6.1.

>> why do java/js plugins make for a privacy issue? how do they, as opposed to other plugins/webpage code, get such information?
See gemal.dk/browserspy/ or Google for "browser check javascript". Try any with and without Javascript. Clean disk/mem cache between sessions. What goes for Javascript goes for applets.

how do they, as opposed to other plugins/webpage code, get such information?
Look past the applications to the layer below. Try to see Java, javascript, Tk/Tcl and whatever else as the "enablers" making stuff possible.


VI. Do use filtering
>> i don't know if i do this already, but is it an option for most browsers? i have firebird 0.6.1.
I strongly believe in the original purpose by which UNIX tools where built that is have a tool that does one thing and do that good. I'd opt for external filtering caps. If you don't need (to provide) mass proxying (Squid), then by all means check out Privoxy. Proxomitron, and to some lesser extent Webwasher, should do too, but they're w32 only.