1

I am connecting to a HTTPS service with SSL through a HTTP (not HTTPS) proxy.

I am using Chrome/Firefox proxy settings. (Chrome does not directly expose them, but it can be set via chrome extension or by command line argument. Firefox exposes that in settings.)

I keep wondering, what can "evil" HTTP proxy do? What does it see?

When I connect to HTTPS web server, can evil HTTP proxy:

  • see the requests
  • read the requests
  • change the requests maliciously to something else?

How would that differ, if I used HTTPS proxy? How would that differ, if I used SOCKS proxy?

Basically, I am not sure which one of these 2 mental models are true.

two models

Karel Bílek
  • 746
  • 1
  • 8
  • 18

1 Answers1

0

If the proxy is NOT an SSL intercepting proxy then the proxy can only see the target hostname and make observations about the encrypted traffic, i.e. size, timing and direction of data but not the application data itself.

An untrusted SSL intercepting proxy can also decrypt the traffic - but in this case the client would get a certificate warning or the browser would reject the connection outright. With a trusted intercepting proxy though (like in corporate environments) the browser does not throw any warnings since the proxies certificates are trusted.

hft
  • 4,910
  • 17
  • 32
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • How to tell which one it is? I can see the proxy can add its own *headers* to the HTTP request. (X-Forwarded-For, Via.) So how come it cannot do anything else? – Karel Bílek Apr 01 '22 at 05:42
  • @KarelBílek: if the proxy can add a header then it must be able to decrypt the content. – Steffen Ullrich Apr 01 '22 at 08:37
  • I thought so too. But then, Google Chrome and Ffx all show the green SSL logo, as if all is being encrypted? So I am utterly confused what is even happening. – Karel Bílek Apr 04 '22 at 07:26
  • @KarelBílek: see for example https://security.stackexchange.com/questions/133254/how-does-ssl-proxy-server-in-company-work – Steffen Ullrich Apr 04 '22 at 07:57