Jump to content

Recommended Posts

Posted
23 hours ago, rawTOP said:

If you trust the proxy service, yes proxy services are a good idea. I've actually been meaning to start advertising a few. But a bad proxy service can put you in a worse position than no proxy service at all.

And a corollary to that is there is no trustworthy "free" proxy service. They need to make money and they'll do it by selling your data.

Man in The Middle (Transparent Forward) proxies fail completely when they encounter a site like this one. I have HSTS enabled on all my sites. If there's a transparent forward proxy you'll get an invalid certificate error warning you that the connection is not secure. It will look like this…

https://assets.s3xstatic.com/bz/uploads/monthly_2020_01/bbbh-cert-problem.thumb.jpg.5c0c5c3a1cac8f6306036964aed96f56.jpg

I went through this the other day with a user who didn't want to believe he was being spied on by his ISP.

So let me explain transparent forward proxies as well…

Basically if you use a device owned by your company and their tech "set up the computer for you" with their "standard build" before giving it to you, then there's nothing you can do about it. Your computer has probably been configured to let the corporate firewall spy on you. And it's probably been locked down so you can't stop it from happening. Bottom line, buy your own computer and phone!!

But if you use your own device (laptop, phone or tablet) and corporate IT hasn't touched it, then when your device hits their firewall (that acts as a transparent proxy) the firewall will attempt to "proxy" your request meaning you talk to the firewall, and the firewall talks to to the server. They can do this one of two ways – 1) present you with a fake encryption certificate for the site, or 2) force your browser to downgrade from HTTPS (encrypted connection) to HTTP (clear text connection). They'll then connect to the server on your behalf, request the page, examine it. If it passes their tests, they'll pass it onto you either in clear text or with a fake encryption certificate. If corporate IT has meddles with your device your browser can be taught to accept the fake certificate from the firewall as authentic. If they haven't meddled with your computer all they can do is downgrade you to clear text. The thing is the webmaster can configure their site in such a way that browsers know that the connection must be encrypted (the protocol to do this is called HSTS – HTTP Strict Transport Security). That means your browser won't allow the firewall to downgrade you to clear text. And if they try to present a fake encryption certificate your browser (because it hasn't been meddled with) will show you an "invalid certificate" error like the one above.

The problem is that it's up to the webmaster to configure HSTS. There's no way (that I know of) for a user to configure their browser so it only does encrypted connections. The browsers will tell you when a site is insecure, but it's just an icon above the page. You may miss the fact that you were downgraded to clear text.

I only know of two sites that implement this - here and Ebay.

Obviously, I dont browse sites like this on my corporate machine, but to date the -only- one that throws the above error is, as I say, Ebay.

  • rawTOP unpinned this topic
Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use, Privacy Policy, and Guidelines. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.