The plaintext thing:
Are you unintentionally sending postcards online?
I’ve spotted some very excited posts about using proxy as an anonymizer.
Not that it were impossible, some proxies might be used like that — there must use a proper configuration for it though. Needless to say such a configuration is not always the default option.
This is just a clarification of what might happen if you think all proxies will make you anonymous. For non-techie people as well.
What are proxy servers for?
If you surf the web via a proxy, you are browsing in such a way that it seems like your IP is the IP of the proxy. But that is (sometimes) it.
A proxy is an intermediary server, all your data is passed through that server so that when you want to load a website, the remote server will think that you are the proxy. That means it will effectively hide your physical location. But please note it doesn’t say anything about encryption, privacy or anything like that in the most basic meaning of proxy.
In fact connection to a proxy is easy. There is a list of free proxy servers, anyone can access them or build an interface for accessing them. But the traffic that goes through the proxy server usually follows the basic HTTP protocol, not HTTPS, there is no inherent encryption.
What does that mean?
All the data that are routed from the remote server through proxy and to your computer might be sent in plaintext. Plaintext is exactly what it sounds like: plain text.
Now the thing with plaintext is that not only the server admins but pretty much anybody can access them.
There is an open source tool for it that is called Wireshark. It’s a program which scans all data connections in the network and if you filter the massive amount of data in the right way you can simply read what others are doing online. Now that might be an oversimplification but think of a hotel or a train station where everyone is on the same wifi. Anyone inside the network might be looking into Wireshark and browsing the logs. That’s quite a good everyday example where I think a lot of people would say, ok, I’ll just use a proxy.
And that’s the misconception.
If you want to hide your data from Wireshark prying eyes you should go for VPN which has inherent encapsulation and encryption, or for proxy that has HTTPS. In other words, you need a cipher.
What can happen if you don’t cipher?
Suppose you use a web app that uses authentification via username and password. You type it in and you get access to your account. But for the auth process to complete your credentials must be sent to a server and compared to a line a database. And how are they being sent?
If the authentification is of the basic type, they are sent in plaintext. And that’s how it looks like:
The credentials are there, username joe, password bloggs. It’s like sending them on a postcard.
Most apps nowadays probably won’t do it like this but still: when was the last time you checked?
I personally wouldn’t even bother checking. If you have a proxy that you trust, you should rather check it’s on HTTPS instead. Applying some basic security will save you a lot of time and hassle checking with services send information in plaintext.
But again, proxies are mainly meant for harmless little things. Do you want to watch a youtube video that is not available in your country? Use any proxy of any kind. Do you want to be the only person who knows that you are watching that kind of video? Well, I’d probably call you paranoid but anyway, you need at least HTTPS.
Not so techie?
I have already talked about it in one of my post — it is very simple to figure out if your proxy uses HTTPS or not. Simply look at the URL.
Good proxy will have the URL starting with HTTPS, then there will be the name/address of the proxy server itself and at the end there will be a query containing information about the website you want to see. That query should be some random string, the information about what you are looking for shouldn’t really be as public as a URL query is. So let’s look at some examples:
The first proxy service we are going to look at will be KProxy. Quite a new and hassle free thing. If you just get to their homepage and type in the URL of the website you want to see, you’ll get this:
You see, no HTTPS!
Turns out you have to click on the little padlock when you are entering your URL. HTTPS protocol is not the default option with KProxy just as it is with many other proxies.
This is how the HTTPS button looks like when you’ve clicked on it:
Now you’ll get a different kind of URL:
HTTPS, that’s precisely what you want. However as you notice there is a little yellow sign on the lock there in the address line. When you click on it, you’ll see it stating something like “This website uses obsolete encryption. Your connection might not be private”.
So this might not really be the right choice — you see? Even though they use HTTPS. On other proxy websites you might get other kind of warnings — for instance there might be misconfiguration on the proxy server and so on.
But let’s try another vendor now, after all there’s more than plenty. Let’s go to Hidester, another quite new thing. You’ll see there is no option to choose HTTP/HTTPS so I’ve simply typed in youtube.com and hit enter. Here’s what I got:
The URL starts with HTTPS so it’s clear at Hidester HTTPS is the default and only option. The proxy runs as a PHP script with random query that stores your desired URL, which is very nice too. And last but not least, no yellow warning here. If you still click on the lock in the address bar it should tell you “Your connection is private” or something along the lines, in green letters.
There is a number of reasons why proxy web access points don’t often use proper HTTPS — it needs more resources, the configuration on server side is more complicated and, uhm, nobody cares … right?
So chances are, as protocols age, proxy services that are OK for now won’t update and their HTTPS will get stale. So in this case maybe it is not a good idea to just pick a proxy and stick with it, not checking the state of it by simply looking at browser warnings. That’s the least you can do and if you see something has gone wrong, just pick another service, there’s enough.
I’d really recommend sticking with HTTPS though, because since you have the chance to use it for free (!), why wouldn’t you, actually.
It is not a military level thing just by itself but sometimes one little steps can make a big difference: If I had a hotel full of plaintext on my network I wouldn’t ever bother with HTTPS.
Originally published at freeproxy2015.wordpress.com on August 6, 2015.