Comment by lxgr

3 years ago

With practically-ubiquitous HTTPS, these days proxy use is mainly a privacy risk since for HTTPS, they usually can only support transparent byte relaying anyway.

39 comments

lxgr

Reply
codetrotter  3 years ago

> for HTTPS, they usually can only support transparent byte relaying anyway.

On my LAN I run Squid on a Raspberry Pi, and have my personal laptop configured to use that as a HTTP and HTTPS proxy.

All TLS HTTP connections going through the Squid proxy are intercepted.

This only requires that my laptop trusts a self-signed TLS certificate that Squid uses.

Someone could easily run the same kind of thing on the internet, providing free proxy service and telling their users to trust a certificate signed by them, without properly explaining the consequences of that. And a lot of novice users would likely use that proxy service. Gleefully unaware that even the “encrypted” traffic is completely visible to the proxy.

In fact, I would be extremely surprised if there aren’t a whole gazillion of services out there doing exactly that.

But in many jurisdictions running a service like that would likely be cybercrime. And even if it wasn’t illegal, it’s still not nice. So, you know, don’t go and actually create a service like that.

  • josephcsible  3 years ago

    > This only requires that my laptop trusts a self-signed TLS certificate that Squid uses.

    The word "only" is doing a lot of work there.

    • 1vuio0pswjnm7  3 years ago

      Not really. I do the same thing, but I do not use squid. Learning how to operate a localhost proxy is not particularly difficult compared to, say, learning programming languages. The later is a topic people on HN discuss ad nauseum. No one questions when someone lists the computer languages they know and claims they can learn a new language in X minutes or a weekend or whatever.

      Just because someone does not know how to do something does not mean it is difficult. It just means they did not try to learn how to do it. This is very common comment on HN. It's quite silly.

      Learning how to set up a localhost proxy on a laptop is far easier than learning a programming language. But it is not something that many people on HN want to learn, cf., e.g., programming languages.

      5 replies →

    • kelnos  3 years ago

      Yeah, I've thought about having a CA for my home LAN services, and then have my phone and laptop trust that CA, but I'm terrified of the possibility that my CA could be compromised, and then someone could intercept my traffic to my bank or whatever.

      So I just put up with clicking through the TLS cert errors every now and then.

      8 replies →

  • cdchn  3 years ago

    >Someone could easily run the same kind of thing on the internet, providing free proxy service and telling their users to trust a certificate signed by them, without properly explaining the consequences of that.

    Somebody already did do this, except as a paid service, and had their special 'client' simulate user clicks to install the self-signed root CA cert in your OS' cert store for you.

    • SOLAR_FIELDS  3 years ago

      Interesting, it would have to be a pretty invasive client to do that. Usually installing a cert is accompanied by a lot of very loud warnings on modern OSes. So the end user would have to first give this software the permission to click around on their desktop for them without fully understanding the implications. Which does seem plausible

      2 replies →

  • teakie  3 years ago

    no. you put it public, get public domain > valid cert from a trusted list of CA that google and mozzila treat as trustworthy, look et em. there are more problematic then unproblemtic

sam0x17  3 years ago

web proxies completely bypass any protection offered by HTTPS as they act as a true man-in-the-middle and place requests on behalf of the user. Unlike traditional proxies, web proxies are entirely web based and use a web interface so literally all the data flows through the server side code of the web proxy.

winternewt  3 years ago

So like a VPN?

  • lxgr  3 years ago

    Not really. In my view, VPNs (at least the type discussed here) and proxies are complementary:

    VPNs are good at encrypting/redirecting all of your device's traffic, since they're per-computer by default. They're accordingly good at preventing metadata leaks (e.g. visited sites or used apps) on untrusted networks.

    Proxies are opt-in, but can accordingly be much more fine-grained. For example, Firefox supports per-domain (via various extensions) or per-tab (via the built-in "containers" feature) proxies – VPNs usually can't do that.