Comment by sam0x17
3 years ago
Don't forget that historically, a "half-measure" a lot of people used to use to get around regional blocking was "web proxies" like those linked to by proxy.org. I used to operate one as a young teen and I will say they are a security nightmare -- nothing stopping a web proxy operator from sniffing all user credentials passing through them, and modifying PHPRoxy to do this is trivial.
Personally I used to run a domain parking service (back when I was a teen in the early 00s) that used the domains as web proxies and replaced all adsense blocks it could find in the content with my adsense code, and did a 50/50 split between my code and the domain owner's code. Google eventually became wise to this and banned that sort of thing but it was pretty cool while it lasted, and honestly I think it was super fair considering we didn't even add any ad blocks just re-used the existing ones already in the content.
With practically-ubiquitous HTTPS, these days proxy use is mainly a privacy risk since for HTTPS, they usually can only support transparent byte relaying anyway.
> for HTTPS, they usually can only support transparent byte relaying anyway.
On my LAN I run Squid on a Raspberry Pi, and have my personal laptop configured to use that as a HTTP and HTTPS proxy.
All TLS HTTP connections going through the Squid proxy are intercepted.
This only requires that my laptop trusts a self-signed TLS certificate that Squid uses.
Someone could easily run the same kind of thing on the internet, providing free proxy service and telling their users to trust a certificate signed by them, without properly explaining the consequences of that. And a lot of novice users would likely use that proxy service. Gleefully unaware that even the “encrypted” traffic is completely visible to the proxy.
In fact, I would be extremely surprised if there aren’t a whole gazillion of services out there doing exactly that.
But in many jurisdictions running a service like that would likely be cybercrime. And even if it wasn’t illegal, it’s still not nice. So, you know, don’t go and actually create a service like that.
> This only requires that my laptop trusts a self-signed TLS certificate that Squid uses.
The word "only" is doing a lot of work there.
15 replies →
>Someone could easily run the same kind of thing on the internet, providing free proxy service and telling their users to trust a certificate signed by them, without properly explaining the consequences of that.
Somebody already did do this, except as a paid service, and had their special 'client' simulate user clicks to install the self-signed root CA cert in your OS' cert store for you.
3 replies →
no. you put it public, get public domain > valid cert from a trusted list of CA that google and mozzila treat as trustworthy, look et em. there are more problematic then unproblemtic
web proxies completely bypass any protection offered by HTTPS as they act as a true man-in-the-middle and place requests on behalf of the user. Unlike traditional proxies, web proxies are entirely web based and use a web interface so literally all the data flows through the server side code of the web proxy.
So like a VPN?
Not really. In my view, VPNs (at least the type discussed here) and proxies are complementary:
VPNs are good at encrypting/redirecting all of your device's traffic, since they're per-computer by default. They're accordingly good at preventing metadata leaks (e.g. visited sites or used apps) on untrusted networks.
Proxies are opt-in, but can accordingly be much more fine-grained. For example, Firefox supports per-domain (via various extensions) or per-tab (via the built-in "containers" feature) proxies – VPNs usually can't do that.
13 replies →
> nothing stopping a web proxy operator from sniffing all user credentials passing through them, and modifying PHPRoxy to do this is trivial
That's why you go through seven proxies.
no, that's why you tunnel through seven proxies, each being used with different sets of credentials/encryption keys, all disposable. The last tunnel is not the main data channel, but the channel you use to coordinate command and control, and then you use a botnet to distribute pieces of your real communications.
web proxies aren't traditional proxies. They have a web interface and issue requests on behalf of the user server side, so all of the user's data flows through the user interface and the server side in plain text (though protected by the HTTPS of the web proxy itself). This is fine if you 100% trust the web proxy, but a malicious web proxy operator could easily look at all your data.
Uh, I hope you realize that that does not stop or even slow down credential sniffing.
https://knowyourmeme.com/memes/good-luck-im-behind-7-proxies
I used to pay a small fee for a shell account by some UK provider so I could setup a SOCKS proxy over a SSH tunnel. I suppose they could have captured my egress traffic but I trusted them not to that. I was just using it to watch BBC iPlayer/Channel 4 from the US anyways. :)