Clarify how to establish an encrypted SOCKS proxy

[cowwoc]

Description

Please take a look at https://github.com/jetty/jetty.project/issues/7647 and comment on whether it is technically possible to establish an encrypted SOCKS proxy using mina, and if so, why it could be failing in my case.

Motivation

Clients who wants to prevent a man-in-the-middle from knowing what websites they visit over the proxy.

Alternatives considered

No response

Additional context

No response

[tomaswolf]

See the diagrams in our technical documentation on port forwarding. With dynamic port forwarding, the SOCKS proxy sits in the SSH client, and the remote SSH server is instructed to connect to the target host. The connection between SSH client and SSH server is encrypted. The connection between the SOCKS client and the SOCKS proxy is not, but that is normally not needed. (Unless you make the SOCKS port externally accessible, the SOCKS client will be on the same host as the SOCKS proxy.) When the connection is established end to end, it depends on the protocol between the SOCKS client and the target server whether they encrypt their data stream.

[cowwoc]

@tomaswolf Thank you for your reply. In the scenario you outlined, is there a way for the SOCKS client to conseal which hosts it is visiting from the SSH server?

[tomaswolf]

No, obviously not. After all the SSH server will connect to the target host.

You'll have that problem also with any other socks proxy. You cannot conceal the target host from a socks proxy; it needs to connect to that target host.

[cowwoc]

Got it. Thank you for clarifying all the moving parts. I'll go ahead and close this issue.