I know what HTTP & Socks proxies are and how they're different, but do not know what SSL proxies are.
SSL Proxy = HTTPS Proxy That is, http proxy with SSL support so that you can connect to places like https://startpage.com Warning: Never, ever use those free, public proxy (even https one) servers to read your e-mail, do facebook etc. or anything where you need to give ur login/password combo. For regular surfing https and socks5 proxies are ok thought, if you can't for some reason use tor, vpn or both.
Thanks for the response. What puts my sensitive info at risk with public HTTPS proxies? Is is the proxy provider or the quality of the proxy etc? I've used them in the past (in addition to my VPN) but I got tired of the slow speeds so I started playing with some different proxy scrapers but those end up just scraping public ones from all over the web. Do you have a solid way to obtain good proxies?
Well, there are actually two risks when using free public, even https one, proxies. HTTPS spoofing and the actual anonymity of the proxy. HTTPS Spoofing. Even if the http proxy supports SSL it does not mean that it is safe to use. Remember that when you are connecting to some of those HTTPS proxies, you are essentially giving control of your connection to unknown 3rd party. It could just be helpfull netizen that is controlling that proxy. Or it could be any of the three-letter-agencies or some network privacy hostile country that controls that proxy. And they could use HTTPS spoofing (faking the target server SSL cert) to fool your browser. Normally, when browser encounters suspicious SSL cert, it should give you warning. However, there has been bugs (and likely there are more bugs hidden) with cert handling that allow to spoof any site they please: http://www.wired.com/2009/07/kaminsky/ There are https proxies and tools with dynamic SSL cert injection/spoofing capability (like squid, Microsoft's “Forefront Threat Management Gateway”, sslsniff etc...). Any of these combined with any possible future bugs in SSL cert handling could allow attacker to do SSL MITM without your browser alarming you at all. Also, there has also been hardware sold just for spoofing HTTPS in mind. http://www.wired.com/2010/03/packet-forensics/ And there could be crooked/threatened/goverment owned CA (Certificate Authority) with the power to issue fake SSL cert for any site (it only takes one bad CA) and then use it with their controlled proxies. And again your browser would not help you. Only thing you could do to detect this thing is to somehow try to get the real cert and match it's SHA fingerprint against the one you browser has gotten from https proxy: https://www.grc.com/fingerprints.htm So although the possibility of using a bad, agency/goverment owned HTTPS proxy with faked cert(s) is slim, it is still a real one and not theoretical. Here's extremenly good reading of the subject: http://files.cloudprivacy.net/ssl-mitm.pdf And even if proxy is not stealing your login/password, it could very well do other bad things, like modifying html content or injecting it's own ads, scripts etc... https://blog.haschek.at/2015-analyzing-443-free-proxies H*ck, even if you are just having an windows machine and some anti-virus software installed you could very well be running a HTTPS spoofing local proxy in your very own computer without you knowing it! For example. here's www.nsa.gov SSL cert issuer when my avast anti-virus is on: http://185.82.200.39/nsa_avast_spoofed_ssl_cert.png And here's the www.nsa.gov issuer with anti-virus off and Google Chrome cache cleaned and browser restarted: http://185.82.200.39/nsa_real_ssl_cert.png On top of all this, you have to trust Microsoft Windows OS when using Internet Explorer, Chrome or Safari because that's who is providing and handling ssl certs for those browsers (from pages 3 & 4 of that http://files.cloudprivacy.net/ssl-mitm.pdf) Firefox uses it's own database of certs. Anonymity. When you google for "free public proxy list" etc. the suggested proxy lists that you come up are most likely: - Recycled. That is, most of those free proxy list sites just list the same duplicate proxies floating in the Net over and over. Or maybe even directly copying from other similar sites. (This became very clear to me when I was developing my CyberDragon browser project.) - Not really anonymous. Don't just blatantly trust when site says they list only anonymoys or high anonymous (elite) proxies. Test them! For example, here's list of apparently high anonymous https proxies from HideMyAss. http://185.82.200.39/proxy_list.png Testing the first eleven proxies with proxy judge (that's what proxy testing pages are called for) revealed that the following proxies were infact, happily revealing your true IP address in one of their HTTP headers! (no, it is not enough to just check if the REMOTE_ADDR HTTP header is the same as the proxy IP): 95.94.184.58:3128 183.111.169.208:3128 185.28.193.95:8080 211.144.81.68:18000 14.39.140.6:8080 So to be safe you really have to test those proxies either manually or with some tool (more of that later). The proxy judge page I used in this test was http://www.proxyjudge.info Here's more info about proxy judge if you are interested setup your own (you need web server with either perl or php support and either azenv.pl or azenv.php file) http://www.proxynova.com/proxy-articles/list-of-proxy-judges/ Now let's take a look what proxies do with your connection from best (high anonymous), to mediocre (anonymous) to worst (not anonymous at all). First, high anonymous proxy: Here's what target server would see when connecting throught this proxy (27.34.246.116:8080). http://185.82.200.39/good_proxy.png As you can see, the REMOTE_ADDR HTTP field shows only proxy IP address. Even better, this proxy does not even reveal the fact to the target server that it is proxy (that is, HTTP_VIA HTTP header is missing). So this is completely high anonymous (elite) proxy. Next, anonymous proxy (31.173.74.73:8080): http://185.82.200.39/medium_proxy.png In this case, the HTTP_VIA header is there. So if the site you are trying to reach throught this proxy does check this particular http header, it could deny your access if it wanted to. And lastly, the non-anonymous proxy: http://185.82.200.39/bad_proxy.png Here, even tought the REMOTE_ADDR will still shows only proxy IP address, there is an additional header HTTP_X_FORWARD_FOR that reveals your true IP address! There is also sometimes HTTP_X_REAL_IP header that some proxies add. Basically anything starting with HTTP_X_ (or anything else the proxy owner wanted to use) has the potential to reveal your true IP. Tools I myself have been looking for reliable, open source, proxy checking tool that would fetch proxies and check them for https, geolocation and anonymity. And maybe something that I could also run, not only from local computer, but also from web server. Haven't found one yet. For local proxy fetching & checking: My CyberDragon browser has proxy fetching and checking capability but there are still problems (read: possible crashes) with it. So I ripped it out to it's own project long time ago so those interested could work with it and fix things: https://github.com/sfroberg/SimpleProxyChecker For remote proxy checking only: Christian Haschek has made a nice php script https://github.com/chrisiaut/proxycheck_script Unfortunately, it's not multithreaded and I don't know how reliable the anonymity checking (http://ip.haschek.at/) is. Maybe it does check all the HTTP_X headers in addition to REMOTE_ADDR. Or maybe just REMOTE_ADDR. Ultimately, this is what should be done: - Fix & test multithreading in my SimpleProxyChecker tool to get reliable, working local tool in case of remote proxy check banning happens. - Add multithreading (php curl) to Christian Haschek proxy script, make sure that it checks all the HTTP_X_ headers and not just REMOTE_ADDR, fetch proxies and lastly, show only good proxies (those that are working and online, HTTPS allowing, not html modifying or ad/script injecting) with possible geolocation (GeoIP PHP API) as a bonus. I have tried to add those things to Christians script but Im not that fluent with PHP (im C and C++ programming guy). (Had some very limited success http://185.82.200.39/works.txt)
First off, @Stefan Froberg Thank you for taking the time to create this champion of posts! It's informative and far beyond what I was expecting. I posted my original question because I was having issues getting a secure connection to websites. And being the novice that I am had no understanding of certificates, ssl, exceptions, fingerprints, and everything else that I came across while researching what to do about my browser connection issue. My fear was that somehow my browser had become compromised and that certificates were altered. After reading your post on how dangerous public proxies are I'm certain that with all my public proxy experimenting I had granted someone with ill intent access. You said that if someone gains access to your browser or session that they can then modify all certificates granting themselves access to much more than their initial intrusion? Since certificates have been the source of my suspicion. So would checking the certificates of all the sites I visit against the GRC database be the only way to spot fakes certifs?
Glad to help If the bad https proxy is just faking ssl certs then only the stuff you are sending over the net is compromised. But it is certainly possible for malicious proxy owner to look who is accessing them (they already have your real IP and what browser you are using) and then try to attack any known/unknown browser or browser plugin weakness and try to gain access to your machine itself. Especially if you are running your browser as administration. Even without initial administration level browser access, the attacker could still try to gain admin rights by using various exploits/weaknesses either in browser itself or it's plugins. After gaining admin rights it's game over and attacker can do whatever they want. Im afraid so. But you can save time by looking what your SSL cert issuer and SHA1 fingerprints are for https://www.wikipedia.org. The issuer field of the cert should read: GlobalSign Organization Validation CA - SHA256 - G2 And the SHA1 fingerprint should be: 87 F5 BA BB D8 97 C5 79 B6 6A F5 2F D8 63 8B 99 BD 1C E8 26 If neither does not match then it means something fishy is going on with ur computer (possible compromise? anti-virus software running it's own HTTPS proxy? some other program running in the background doing it's own HTTPS proxy stuff ? Replaced SSL cert(s) ? ). To make it 100% sure that this is not actual connection issue (your ISP playing games with your HTTPS?), you could check with clean, fresh installed second computer your connection to https://www.wikipedia.org and see what the Issuer and SHA1 fingerprints are this time.
Not sure exactly what you are looking for. These web sites check for the existence of a local host proxy server: http://www.lagado.com/proxy-test http://www.whatismyproxy.com/ http://whatismyipaddress.com/proxy-check This software is used to check for the existence of an external man-in-the-middle proxy server: https://www.digi77.com/ssl-eye-prism-protection/ Note: I couldn't use SSLEye because Eset's firewall kept complaining about the validation server it uses in Singapore. Believe it was a FP but never pursued that w/Eset.
