SOCKS proxy security concerns

Question

As claimed, "A socks proxy simply transfers data from a client to a server, not penetrating into this data contents (therefore it can work with HTTP, FTP, SMTP, POP3, NNTP, etc.)", I really can't buy it, can't a SOCKS proxy log data, analyze its content, redirect traffic, capture submitted forms, intercept SSL/TLS communications, "harvest" emails, or even spoof an IP address through a poisoned DNS?

I understand that SOCKS operates at lower level than HTTP proxies, and that it support authentication in its SOCKS5 version.

I found it risky to use proxies, but sometime its the most "feasible" as an exchange to privacy, when it come to region limitation and bandwidth allocation.

Can anybody clarify the above points?

Answer 1

A SOCKS proxy is in a position similar to a router: it sees all traffic. It is thus in ideal position to commit various felonies on your data. You should consider it as you would consider any router on the Internet (including your ISP): it fulfills a service but you do not trust it. Using an external proxy is no less risky, but no more risky either, than doing proxy-less connections(*). The short mantra is: SSL protects you, as well as it protects you over the Internet in general.

The error would be to believe that a proxy which asks for authentication somehow makes your data "secure" in some way. Don't be fooled ! The authentication is for the protection of the proxy, not yours.

A special case is proxies which claim to offer anonymity. Nothing guarantees that; that's a promise the proxy makes and you cannot enforce it. For Tor (Tor is just boosted proxying), risks of hostile proxies is mitigated by chaining them, so that your anonymity is preserved as long as at least one of the proxies is trustworthy.

Of course, if the proxy is your friend and is really trustworthy, then it can help in defeating attackers. For instance, a SOCKS proxy through a SSH connection (ssh -N -D 5000 othermachine, and set your browser to use 'localhost:5000' as SOCKS proxy) is a cheap but effective VPN for your Web-based traffic, between your machine and the network where othermachine is located (I was doing that a lot when I was working for a company which was physically on another continent).

---

(*) Ok, that's not entirely true. Low-grade attackers, as opposed to, say, oppressive governments, could find it uneasy to make Man-in-the-Middle attacks on your data; they would have to ressort to crude methods such as DNS poisoning. If you accept to forward all your data through the attacker's proxy, then you make the task easier for him in practice. But you should not assume that not using proxies makes you immune to low-grade attackers. Also, this does not change anything high-grade attackers who control infrastructure routers: by using their proxy, you are not giving them any power over you that they did not already possess.

Answer 2

Yes, a malicious proxy might do all of those things. You're giving it the privilege of a man in the middle. The same goes for VPNs and Tor. The solution is simple: don't use a proxy you don't trust.

If you absolutely must use such a proxy, only communicate over SSL and do not accept invalid certificates. This isn't a catch-all, since a compromised CA certificate would still allow an attacker to spoof the connection, but it's the best you can do in such an environment.

Answer 3

An honest to god socks proxy has very limited functionality, whereas there are a great many proxy products that would log, analyze, and filter any traffic including SSL traffic. There's no way to get around the fact that you must trust the proxy to do what it says it is going to do. If you don't have a reason to trust it then don't.