
Why are free proxies free? (2013) - rasengan
https://blog.haschek.at/post/fd9bc
======
pizza
Probably what's happening across the world's middle schools:
MSN/facebook/youtube blocked by the school firewall? No problem, I know a kid
who can get us around it. Here, she says, just google proxies, and we click on
the first one, and proceed to enter our credentials..

~~~
ics
One of the first things I did at that age whenever changing schools was to set
up a couple proxies to get around SonicWall or whatever my school would be
using. I added a link to my Facebook and usually a funny pic from around the
web to the landing page... definitely one of the easiest ways for an introvert
to get others to remember their name...

Edit: Oddly, nobody from the schools ever called me out on it despite PII on
the page and the WHOIS data (I was using personal domains at that point, .com
and .info). I can't remember if Tor ever worked, but back then it was slow as
hell anyway because even the school's "high-speed" connection wasn't close by
today's standards.

Further edit: I was trying to learn PHP at the time, and was using some
existing scripts along with dinky little modifications. It wasn't malicious,
but a couple times it was fun to manually post stats for which sites were the
most visited. The type of sites people used it for was not surprising.
Regrettably I never took it far enough to do anything clever, instead pretty
much abandoning code for following couple years.

Fun memories since I'd mostly buried that whole period as "boring, non-
technical, and embarrassingly childish" stuff.

~~~
halflings
Well, you were particularly techy' for that age :) ; It does remind me of my
childhood though, and that even in elementary school there is such a thing as
the "tech guy".

------
danjayh
I think an obvious, if not particularly harmful thing for a free proxy to do
would be replacement of ads with ones that pay to the proxy owner, and
injection of affiliate links whenever possible. I wonder how common that is?

~~~
joshmn
Someone I know very well runs one of the largest proxy networks.

"Why wouldn't we? Our users aren't particularly tech-savvy, and we've
calculated that 90% of our [user] base doesn't have an adblocker of such
installed. ... [we] see 90% [of our income, combined with our VPN services]
from injecting ads - sometimes, they are more relevant than what the visiting
site serves."

------
Goopplesoft
> extra piece of code that does things like send all data entered in forms to
> your server

Assuming you're injecting JS, the site isn't SSL meaning all that data is
available to the proxy anyway (its part of their operation). The botnet angle
is much more interesting than the loss of privacy one.

~~~
sillysaurus3
What happens if the user tries to visit a site with https, like gmail? Can the
free proxy still be destructive? I assume yes, but I'm interested in hearing
about the technical details.

~~~
witty_username
Most of the web (you type the URL into the proxy's webpag) "HTTPS" proxies
found by Google search only give results that the proxy has encrypted.
However, through TCP proxies (through which HTTPS can be supported), the
attacker can only do an SSL-strip attack.

~~~
nothrabannosir
Mainstream browsers do not readily support HTTPS connections to proxies. FF
only very recently introduced this, Chrome needs you to specify the proxy URL
on the command line.

Even when you do, the connection to the proxy being HTTPS has nothing to do
with the "[https://"](https://") you see in the browser.

Bottom line: do you see a green
"[https://...google.com/..."](https://...google.com/...") ? Then you are safe.
SSL stripping will NOT go undetected, without compromising your computer in
some way (fake root CA).

For more info, search the net for SSL strip tools and look at their features.
E.g.: homograph domain names, rewriting [https://](https://) links to
[http://](http://), or using self-signed CAs (will cause SSL warning). If you
find a real, clean SSL strip, make sure to post it here to HN. Guaranteed you
will make the front page ;)

~~~
witty_username
oh nvm I misunderstood SSL strip.

------
antimora
Once my ISP (Cox Communication) injected a message into a web page I was
reading to notify me of their planned service downtime. So I wonder the
legality aspect of this type of injection. Is anyone who transmits data can
modify pages?

~~~
johansch
I'm not aware of any such case going to court anywhere, although it probably
has by now.

In Sweden a couple of years ago, the largest mobile operator Telia injected
some toolbar with ads on top of all mobile web content. Within a working day
literally all of the swedish media sites had collectively blocked all access
to their web sites from Telia mobile IP ranges. The next day the ad toolbar
was gone.

~~~
yourad_io
> Within a working day literally all of the swedish media sites had
> collectively blocked all access to their web sites from Telia mobile IP
> ranges. The next day the ad toolbar was gone.

That's amazing - the market kicking back in full force and putting a giant
back in its place. In other markets/regions this would just pass.

Do you have a source? I tried some googling but my English keywords seem to
have no power ;)

~~~
johansch
[https://translate.google.com/translate?sl=sv&tl=en&js=y&prev...](https://translate.google.com/translate?sl=sv&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fjardenberg.se%2Ftelia-
surf-closed-not-open%2F&edit-text=)

and

[https://translate.googleusercontent.com/translate_c?depth=1&...](https://translate.googleusercontent.com/translate_c?depth=1&hl=en&ie=UTF8&prev=_t&rurl=translate.google.com&sl=sv&tl=en&u=http://www.dagensmedia.se/nyheter/article13360.ece&usg=ALkJrhjV0Lmar5Sl0xQfoIvITPpfV7j7kw)

Seems like my memory was a bit hazy. The issue was that not that they inserted
their own ads on top of mobile content, but that they inadvertedly blocked
some ad content in the actual sites.

------
alimoeeny
Another group of users of free proxies (I had been in that group in the past),
are people living in countries behind state run firewalls/filters. You want to
read the news, or even check your email (in some cases) and you need a proxy.
You cannot afford to run your own proxy. So you use the free ones, AND YOU
KNOW they are not safe, but you don't have a choice.

~~~
dogma1138
If you live in one of those countries using the proxy will get you into the
same trouble as reading those sites in the first place, heck probably into
even more trouble.

~~~
jrochkind1
Are you guessing, or have you seen actual reports/investigations that say
that? I don't think it's so. China, for instance, doesn't have nearly the
resources (or at least doesn't choose to use them) to 'get into trouble'
anyone who looks at censored content, say, via a proxy. They just make it as
difficult as possible to access.

One study suggested that even _posting_ unallowed content might escape without
censorship (let alone punishment) -- unless the posted content attracts
discussion from others, and thus the algorithms make it look like you might
actually be organizing.

[http://gking.harvard.edu/files/gking/files/experiment_0.pdf](http://gking.harvard.edu/files/gking/files/experiment_0.pdf)

------
jedisct1
Quite a few non-free "privacy apps" just route your traffic through free, open
proxies that they keep scanning. So, of course, you end up being completely
exposed to snooping and injections.

~~~
ksrm
Could you name names?

------
msoad
Some proxy providers ask users to install client-side apps. You don't have to
do all this dance to see what user is seeing if you can install a binary on
users machine. This is what most of people in Iran and China do.

One way or another, somebody is watching. Either it's the NSA or some ad
agency interested in your browsing habits while you "bypass" the filters.

------
bbcbasic
Wouldn't be hard for them to make your next executable download point to
something with ransomware, but with the name you downloaded. Scary stuff.

~~~
kbart
MD5 sum check is intended to protect against such situation. I just would like
to see statistics of how often it is actually used..

------
blevinstein
A friend of mine setup a simple PHP-based proxy while he was in high school,
to get around the firewall.

Then, he modified it slightly to scrape facebook username/passwords, and gave
the URL to all his friends. :)

I wonder whether modern security practices (e.g. https everywhere) will make
proxies less lucrative (and therefore less common).

------
jldugger
As the saying goes, if you're not paying for it, you're not the customer,
you're the product.

------
binaryanomaly
"There ain't no such thing as a free proxy..." \- Internet pirate

------
stepstep
In the future, I imagine almost every site will use HTTPS—maybe browsers will
even refuse to connect over plain HTTP. Then this kind of attack won't be
possible.

~~~
skrebbel
I'm sure that there will be free proxies that "require you to install this
program" (which also installs a certificate) to work. But yeah, it helps for
e.g. the middle schoolers who don't have admin rights on the computers anyway.

~~~
TeMPOraL
I.e. it helps making our broken education system even worse?

~~~
sleepychu
This isn't really fair, you can't trust 100s/1000s of children you don't know
to look after systems well.

~~~
TeMPOraL
This is called "learning experience". How children are supposed to not think
of computers as magic boxes if they're prohibited from doing anything
interesting on it (and that very much includes breaking them and fixing by
themselves)? Restoring the machines back to original state should be a trivial
task for whoever is responsible for the computer room.

~~~
danneu

        > How children are supposed to not think of
        > computers as magic boxes if they're prohibited
        > from doing anything interesting on it (and that
        > very much includes breaking them and fixing by 
        > themselves)?
    

The first thing every kid did in the computer lab was highlight all the icons
on the desktop and try to delete them. We already knew how to use computers
because we had one at home to mess with. The whole goal of the computer lab
was to figure out how to create a bomb for the next user.

Now pretend we aren't in the heights or mid/upper burbs anymore. There is no
IT/networking staff. It's just Mr. Perkins, the English teacher that
volunteered to look after the computer room. And there are kids without
computers in their household. Too bad, all the computers are hosed because
lol.

------
chmars
ZenMate ([https://zenmate.com/](https://zenmate.com/)) is a popular German
proxy service – and it's free … cui bono?

~~~
nonninz
Well ZenMate is a VERY well funded startup offering a freemium service.

While their desktop proxy service is free, they also offer a premium account
for their VPN services for mobile.

See:
[http://techcrunch.com/2014/10/01/zenmate/](http://techcrunch.com/2014/10/01/zenmate/)

~~~
chmars
The _plan_ to offer a premium account:

[https://zenmate.com/pricing/](https://zenmate.com/pricing/)

------
jfoster
Couldn't this also be applied to WiFi hotspots? This really makes quite a
strong case for sites to add HTTPS.

------
tbg
>Tell your friends never to use free proxies

Nah, just use Private/Incognito windows when using "free" proxies

------
jjp
Would be interesting to see how many free proxies are actually injectng JS or
changing the html in anyway.

~~~
Goopplesoft
Most do actually, most links on html are changed so that you continue using
the proxy, JS is often removed, etc.

~~~
Retr0spectrum
You are referring to a web-based proxy.

------
read
I would pay for a safe proxy. Why are there no proxy-as-a-service companies?

~~~
yc1010
1\. Buy/spinup a cheap vps (aws or digitalocean)

2\. Install tinyproxy (apt-get install tinyproxy)

3\. Configure it to bind to the vps public ip, set a high port, limit access
to your home/work ip address or range(s)

4\. Set your browser proxy to vps.ip.add.res:12345

The above is simple and effective, only downside anyone else on your ip or
range you specified can use that proxy too (if they find out the ip:port and
if they done steps 3 and 4 above). You can switch off the vps when not using
it (saving you money)

~~~
bnegreve
> only downside anyone else on your ip or range you specified can use that
> proxy too.

If you have ssh access, you can set up a proxy on the remote server, and use
ssh dynamic port forwarding (-D) to forward the proxy connections on your
local machine.

Using this trick you can safely use any ssh capable machine as a proxy. It
works like a charm.

~~~
kijin
And if your 'ssh capable machine' runs Linux, OSX, or any other *nix, you can
use sshuttle [1]. It's a layer on top of SSH dynamic port forwarding that
allows you to proxy any application, even those that don't support proxies out
of the box.

[1]
[https://github.com/apenwarr/sshuttle](https://github.com/apenwarr/sshuttle)

------
99jessy
Its free and thats why its free

------
jarfil
TL;DR: TANSTAAFL

------
curiously
How would you get a new ip address on demand or is there such service out
there? What about all these sites that sell paid proxies, can be trusted?

------
pranayairan
interesting, i never thought about such attack matrix.

