Probably what's happening across the world's middle schools: MSN/facebook/youtube blocked by the school firewall? No problem, I know a kid who can get us around it. Here, she says, just google proxies, and we click on the first one, and proceed to enter our credentials..
One of the first things I did at that age whenever changing schools was to set up a couple proxies to get around SonicWall or whatever my school would be using. I added a link to my Facebook and usually a funny pic from around the web to the landing page... definitely one of the easiest ways for an introvert to get others to remember their name...
Edit: Oddly, nobody from the schools ever called me out on it despite PII on the page and the WHOIS data (I was using personal domains at that point, .com and .info). I can't remember if Tor ever worked, but back then it was slow as hell anyway because even the school's "high-speed" connection wasn't close by today's standards.
Further edit: I was trying to learn PHP at the time, and was using some existing scripts along with dinky little modifications. It wasn't malicious, but a couple times it was fun to manually post stats for which sites were the most visited. The type of sites people used it for was not surprising. Regrettably I never took it far enough to do anything clever, instead pretty much abandoning code for following couple years.
Fun memories since I'd mostly buried that whole period as "boring, non-technical, and embarrassingly childish" stuff.
Well, you were particularly techy' for that age :) ; It does remind me of my childhood though, and that even in elementary school there is such a thing as the "tech guy".
We used software and hardware key loggers to get system and firewall passwords. We'd just shut the firewall off if we wanted to do something that was blocked.
I think an obvious, if not particularly harmful thing for a free proxy to do would be replacement of ads with ones that pay to the proxy owner, and injection of affiliate links whenever possible. I wonder how common that is?
Someone I know very well runs one of the largest proxy networks.
"Why wouldn't we? Our users aren't particularly tech-savvy, and we've calculated that 90% of our [user] base doesn't have an adblocker of such installed. ... [we] see 90% [of our income, combined with our VPN services] from injecting ads - sometimes, they are more relevant than what the visiting site serves."
Back in 2001 I did some consulting for CyberRebate, who were building exactly this. In return for running their proxy you'd earn reward points that you could cash in on their site. They imploded (http://en.wikipedia.org/wiki/CyberRebate) before the product was launched.
> extra piece of code that does things like send all data entered in forms to your server
Assuming you're injecting JS, the site isn't SSL meaning all that data is available to the proxy anyway (its part of their operation). The botnet angle is much more interesting than the loss of privacy one.
What happens if the user tries to visit a site with https, like gmail? Can the free proxy still be destructive? I assume yes, but I'm interested in hearing about the technical details.
Most of the web (you type the URL into the proxy's webpag) "HTTPS" proxies found by Google search only give results that the proxy has encrypted. However, through TCP proxies (through which HTTPS can be supported), the attacker can only do an SSL-strip attack.
Mainstream browsers do not readily support HTTPS connections to proxies. FF only very recently introduced this, Chrome needs you to specify the proxy URL on the command line.
Even when you do, the connection to the proxy being HTTPS has nothing to do with the "https://" you see in the browser.
Bottom line: do you see a green "https://...google.com/..." ? Then you are safe. SSL stripping will NOT go undetected, without compromising your computer in some way (fake root CA).
For more info, search the net for SSL strip tools and look at their features. E.g.: homograph domain names, rewriting https:// links to http://, or using self-signed CAs (will cause SSL warning). If you find a real, clean SSL strip, make sure to post it here to HN. Guaranteed you will make the front page ;)
Wait... If people can't use proxies to surf with HTTPS, then how does HTTPS provide any security when using Tor? Tor is basically a proxy, and the only reason Tor is safe is because of HTTPS-everywhere. I'm having trouble figuring out why HTTPS works on Tor but not for these kinds of proxies.
My understanding is that you should be able to set up a TLS session with a destination server while you're routing your traffic through a robot-in-the-middle. And the robot shouldn't be able to harm your content in any way, due to the encryption. (I originally said that a free proxy could still cause harm, but if HTTPS is involved, I'm pretty sure that's not true, otherwise Tor wouldn't work. It could drop the connection, but it shouldn't be able to modify anything.)
Tor is a TCP proxy. It doesn't matter to HTTPS; the TLS part is being done with the client through the TCP connection (which is actually routed through Tor but HTTPS doesn't care). And HTTPS through Tor is as secure as doing it through any other way.
_However_, many free online proxies, e.g. HideMyAss, will simply fetch the page and send it to the client encrypted using their key. In this case, the TLS part is being done with the proxy website, not the actual website being requested. (Basically original website sends encrypted data to the proxy; proxy decrypts it and then encrypts it with its own key; proxy sends to browser.)
(Tor, however, will simply send the raw TCP packets back to the client).
HTTPS tries to perform two goals:
encryption: all the data is encrypted which means that a malicious agent can not sniff the data
authentication: since the data is signed by the website's key it can't be modified by an attacker.
The way HTTPS works is so that it's impossible to sniff the data or modify the data without having the session key (that might not be the correct name; but I don't remember). The session key is stored on the client and server. Without access to either of these machines it's impossible to break HTTPS.
Right, of course. Thanks so much for clarifying the concepts in my head. It's difficult to keep track sometimes.
Would it be true to say that HTTPS-over-proxy provides zero security for the end user, since a proxy must be able to encrypt raw HTTP requests/results on behalf of the client? In other words, the proxy can be blatantly malicious against the user, and the client won't even be able to realize that. The only security would be against any third-party eavesdroppers (someone else besides the user, proxy, or final website).
I might be wrong about that too, but I'm trying to grok it.
No, correctly configured, HTTP proxies just forward the connection on, so you can verify the TLS on your end. That's the default you'll get from your browser.
However, you can configure a proxy to intercept and re encrypt things. But the client (your browser) must trust the certificate that's re encrypting, which won't happen unless the proxy's CA cert is installed on your system. This most often occurs in corporate environment, where they control the endpoints.
Of course, if you're not careful, the proxy can do sslstrip and such, tricking users into not using/checking https. But if you're careful and check for HTTPS, you're OK in theory (assuming TLS works, no vulns, etc).
They say it is just for caching purposes (if the html data is encrypted they cannot serve cached images and so), but who knows what they do with your data as credit cards, etc.
That's not true. HTTPS over insecure proxies is safe, as long as you aren't getting SSL certificate warnings (i.e. the broken lock icon, or a big red warning).
If a man in the middle proxy decrypted the content and re-encrypted it, it would be using a different public key than the one that belongs to the original website, and your browser would know immediately and warn you, probably also preventing you from even loading the page.
The proxy would have to be trusted on your computer as a Certificate Authority, at which point you've given the proxy the power to say "trust me, this public key really does belong to Google". Even then, in many browsers the certificates for common websites are pinned, so if you tried to go to gmail.com for example and a proxy was intercepting it, and was also trusted as a certificate authority, chrome would still prevent the page from loading.
Once my ISP (Cox Communication) injected a message into a web page I was reading to notify me of their planned service downtime. So I wonder the legality aspect of this type of injection. Is anyone who transmits data can modify pages?
I'm not aware of any such case going to court anywhere, although it probably has by now.
In Sweden a couple of years ago, the largest mobile operator Telia injected some toolbar with ads on top of all mobile web content. Within a working day literally all of the swedish media sites had collectively blocked all access to their web sites from Telia mobile IP ranges. The next day the ad toolbar was gone.
> Within a working day literally all of the swedish media sites had collectively blocked all access to their web sites from Telia mobile IP ranges. The next day the ad toolbar was gone.
That's amazing - the market kicking back in full force and putting a giant back in its place. In other markets/regions this would just pass.
Do you have a source? I tried some googling but my English keywords seem to have no power ;)
Seems like my memory was a bit hazy. The issue was that not that they inserted their own ads on top of mobile content, but that they inadvertedly blocked some ad content in the actual sites.
Another group of users of free proxies (I had been in that group in the past), are people living in countries behind state run firewalls/filters. You want to read the news, or even check your email (in some cases) and you need a proxy. You cannot afford to run your own proxy. So you use the free ones, AND YOU KNOW they are not safe, but you don't have a choice.
If you live in one of those countries using the proxy will get you into the same trouble as reading those sites in the first place, heck probably into even more trouble.
Are you guessing, or have you seen actual reports/investigations that say that? I don't think it's so. China, for instance, doesn't have nearly the resources (or at least doesn't choose to use them) to 'get into trouble' anyone who looks at censored content, say, via a proxy. They just make it as difficult as possible to access.
One study suggested that even posting unallowed content might escape without censorship (let alone punishment) -- unless the posted content attracts discussion from others, and thus the algorithms make it look like you might actually be organizing.
Imagine you're sitting in a cafe trying to read nytimes.com. You're not worried about some Cyber Police kicking in the door, you just want a way around the block.
Quite a few non-free "privacy apps" just route your traffic through free, open proxies that they keep scanning. So, of course, you end up being completely exposed to snooping and injections.
Some proxy providers ask users to install client-side apps. You don't have to do all this dance to see what user is seeing if you can install a binary on users machine. This is what most of people in Iran and China do.
One way or another, somebody is watching. Either it's the NSA or some ad agency interested in your browsing habits while you "bypass" the filters.
In the future, I imagine almost every site will use HTTPS—maybe browsers will even refuse to connect over plain HTTP. Then this kind of attack won't be possible.
I'm sure that there will be free proxies that "require you to install this program" (which also installs a certificate) to work. But yeah, it helps for e.g. the middle schoolers who don't have admin rights on the computers anyway.
This is called "learning experience". How children are supposed to not think of computers as magic boxes if they're prohibited from doing anything interesting on it (and that very much includes breaking them and fixing by themselves)? Restoring the machines back to original state should be a trivial task for whoever is responsible for the computer room.
> How children are supposed to not think of
> computers as magic boxes if they're prohibited
> from doing anything interesting on it (and that
> very much includes breaking them and fixing by
> themselves)?
The first thing every kid did in the computer lab was highlight all the icons on the desktop and try to delete them. We already knew how to use computers because we had one at home to mess with. The whole goal of the computer lab was to figure out how to create a bomb for the next user.
Now pretend we aren't in the heights or mid/upper burbs anymore. There is no IT/networking staff. It's just Mr. Perkins, the English teacher that volunteered to look after the computer room. And there are kids without computers in their household. Too bad, all the computers are hosed because lol.
Changing advertisements, to take credit for views and clicks, would be quite beneficial. This would could go un-noticed by the viewer for a long time too. I would not be surprised if a lot of these free proxy servers do just that.
3. Configure it to bind to the vps public ip, set a high port, limit access to your home/work ip address or range(s)
4. Set your browser proxy to vps.ip.add.res:12345
The above is simple and effective, only downside anyone else on your ip or range you specified can use that proxy too (if they find out the ip:port and if they done steps 3 and 4 above).
You can switch off the vps when not using it (saving you money)
> only downside anyone else on your ip or range you specified can use that proxy too.
If you have ssh access, you can set up a proxy on the remote server, and use ssh dynamic port forwarding (-D) to forward the proxy connections on your local machine.
Using this trick you can safely use any ssh capable machine as a proxy. It works like a charm.
And if your 'ssh capable machine' runs Linux, OSX, or any other *nix, you can use sshuttle [1]. It's a layer on top of SSH dynamic port forwarding that allows you to proxy any application, even those that don't support proxies out of the box.
Yes that too :) I remember doing this more than a dozen years ago in university to a local research unix machine we could make accounts on in order to bypass the stupid firewall. In hindsight i think the network admins knew about our trick but put blind eye to it since it required people to muck around with command line and learn stuff :D
Forgive me if i'm not realizing some sort of networking safety here or inherent indirection, but how does this protect any kind of anonymity? Seems like it would be pretty easy for a government to ask the host for who owns the specific IP address communicating with a service. The host has all the billing information for an owner. IP -> Host -> Billing Information -> Owner.
Same would apply for a VPN company or a company selling a proxy (like the person i replied asked for) if you paid with credit card/paypal, governments can and do hit these with requests
If are worried about privacy you should be using bitcoin (and know how to use this anonymously, which i am not going to go into), You could then buy a vps with bitcoin quite anonymously with likes of chunkhost.com or bithost.io (reselling digitalocean for btc)
Basically having a http proxy (im not talking about web proxies but forward and reverse ones such as tinyproxy & haproxy) has its uses for example if you have a robot scraping via multiple addresses (to bypass limits for example or scrape different content dependant on location)
and well they are simpler to setup and use that vpns both on client on and server end
a vpn is fine in most cases but there are usecases where a quick and dirty http proxy helps save alot of headaches.
One reason would be if you have coded a robot to scrape http(s) content of other sites, its easier to configure wget/curl/own_code to use your proxy (or even a list of own proxies) than seting up vpn,
see my post above in this thread about setting up tinyproxy
can also use haproxy if its only one specific site you are scraping
