11

Is it possible to get the username and password we enter into sites like facebook using proxy server?

The scenario is like this :
1.My laptop is connected to a network.
2.It is configured to use a proxy server to connect to Internet.
3.I enter my credentials into secure sites.

Is it possible for others to get credentials in the above scenario ?

Novice User
  • 2,088
  • 7
  • 26
  • 38
Maximin
  • 221
  • 3
  • 11

6 Answers6

11

If the URL uses SSL (i.e. is https://) and use the proxy only for transport, then no, the proxy sees only encrypted data and cannot peek at it. (Unless the proxy tries to feed you with a forged certificate, which requires some prior installation of a collaborating CA in your machine; this may happen in work environments, when your enemy is the local sysadmin.)

If the connection, as it exits your machine, is unprotected, then yes, by definition the proxy sees every byte which comes and goes. This is true for all proxy technologies.

The situation can be made more complex if the proxy itself asks for some authentication, and/or if the proxy negotiates some SSL between itself and the target server. For the technologically unwary, it can become a bit hard to know where the password you type actually goes. If:

  • your browser and local machine are clean (it has not been touched by a potentially hostile sysadmin or malware);
  • your browser says "that's SSL" with the (in)famous padlock icon;
  • the server name in the URL bar is indeed what you expect (it is exactly www.facebook.com, and not something like www.facebook.com.sdjygsdb.com);
  • your browser sees nothing wrong with the server's certificate (no scary warning, URL bar turned red or something like that);

Then:

  • what you send to the server is safe from prying eyes of external entities, including proxies.

Otherwise:

  • anything goes. Your data is at least potentially insecurely transfered, and proxies are in ideal conditions to meddle with it.
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • So if my laptop is untouched, i do have a https connection, my url is correct like mentioned and browser founds nothing wrong with the server's certificate, there is nothing to worry even-if the enemy is local sysadmin,right? – Maximin Apr 08 '13 at 02:43
  • @Maximin One issue remains: The admin could install and trust his own root CA on your PC, which would make your browser/OS accept the false CA as if it was a real one. – Orca Apr 16 '13 at 23:27
  • @Orca Is there anyway to restrict this? Is it possible to detect this? – Maximin Apr 17 '13 at 03:18
5

It depends.

There are two main types of proxy: HTTP and SOCKS.

An HTTP proxy can, as its name suggests, only really deal with HTTP traffic. You send it a request and it forwards it to the target page, and proxies the result back to you. All of this traffic is sent in plain-text, so it's possible to sniff and alter it. It is, however, possible to perform a HTTP CONNECT over some of these proxies, which turns the HTTP traffic into a TCP tunnel. From there, SSL can be used on that tunnel, allowing for protection against most types of sniffing attacks. Another type of HTTP proxy called an HTTPS proxy functions identically, except the entire protocol operates over HTTPS instead.

On the other side of things is SOCKS, which acts as nothing more than a tunnel. A message is sent to the proxy to create a connection to a target server, and the proxy then forwards everything between you and the server. There are three main versions of SOCKS in use today: SOCKS4, SOCKS4a, and SOCKS5. The SOCKS4a specs added the ability to pass a domain name as a target parameter, instead of an IP address, such that the proxy would perform the DNS lookup instead of the client. This helped fix problems where the client was unable to perform a DNS lookup itself, and also helped improve privacy, since it was previously possible to sniff the DNS lookup traffic from the client and identify the sites it was visiting. SOCKS5 further expanded the protocol to include IPv6 and UDP support, as well as better authentication. However, the actual SOCKS traffic is plaintext, and the client must provide its own transport security within the tunnelled connection.

In general, you should consider the use of a proxy to be at most as safe as sending the traffic yourself. You will still be sending plaintext information to the proxy (unless it's a HTTPS proxy) and that can be sniffed. Once the tunnel is created, the traffic can still be sniffed unless you're talking to the target server via HTTPS or a similar secure protocol.

An interesting case occurs when the operator of the proxy is malicious. Any plaintext traffic can be sniffed and stolen regardless, but a malicious proxy can perform active attacks. For example, it might inject content into your traffic, or redirect you to other servers. If you use HTTPS, then your privacy and safety are increased, but it may be possible for the attacker to "downgrade" or bypass the SSL by interfering with the SSL handshake. It may even return a forged certificate to you, and claim to be the target server, whilst secretly decrypting all of your traffic.

To put it very simply: proxies can be dangerous, and you should only use proxies that you trust.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
5

There are two main cases: if you connect to http://facebook.com, or if you connect to https://facebook.com (HTTP vs HTTPS). Facebook redirects you to HTTPS by default, by the way.

With HTTP, all communication is in plaintext. Anyone who controls some bit of Internet infrastructure between you and the server can eavesdrop on the communication and obtain your credentials. It doesn't matter whether you've specified a proxy or not: a proxy can be transparent, and even if there's no proxy, someone could still be listening.

In practice, ISPs don't spy on their customers. Employers do sometimes spy on their employees. Also, if you're using a wifi connection, other local wifi users may be able to spy on you.

By the way, your credentials aren't just your username and password. Once you've established the connection, your session is identified by a cookie; if the attacker gets your cookie, they can pass for you (at least until you close the connection).

With HTTPS, the basic answer is no, your credentials are safe, and your connection is safe. You can know that your connection is safe if all these conditions are met:

  • Your browser shows a green padlock icon next to the URL (or whatever it uses to indicate a good HTTPS connection). (This shows you're using HTTPS, but it isn't enough.)
  • The URL begins with facebook.com/ or whatever site you're connecting to (if you see something different like facebook.com.evilhackers.com/…, you're securely connected to the wrong site).
  • Your machine is free from any malware.
  • Your browser hasn't been configured to accept a non-standard certification authority.

That last point is relevant on company-issued computers: some employers install their own certification authority, so that your browser accepts any connection as genuine if it's made with the company proxy. Depending on which country you live in, this may or may not be legal, and they may or may not be required to inform you (in small print in the 100-page-long IT policy).

Assuming HTTPS is used safely, a proxy can only relay encrypted bytes back and forth. It knows which site you're connecting to (it has to know where to send the packets), but it cannot know the full URLs you're accessing, the content of the pages, or the data you're submitting in forms.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
0

This is very possible when using unencrypted websites, but significantly harder with SSL.

With SSL, it would be possible for a Man In The Middle (MITM) attack to reveal that data. This would require the proxy to negotiate the certificate with the website, and then negotiate it own with your browser, therefor the data in encrypted between yourself and the proxy, decrypted, and then reencrypted to be sent to facebook.

Make sure when you receive a certificate error from an SSL site, you don't automatically add an exception without knowing where it came from.

David Houde
  • 5,464
  • 1
  • 27
  • 22
0

Adding to the other answers

  1. If the network you are using has an HTTPS proxy then it is difficult to capture your credentials over the network (unless someone tries an MITM on SSL) but one possible point of attack would be the DNS.
  2. If you are relying on your proxy server to do name resolutions for you then it is possible for the proxy admin to redirect you to a malicious (phishing) website that looks exactly like the original one. There you enter your credentials and they go to a malicious server(may be hosted in your own network).
Shurmajee
  • 7,285
  • 5
  • 27
  • 59
0

Its possible by using ssl strippers and some other sniffing tools. I have tested this case in my network using some ssl stripping tools. I have go passwords and usernames easily.We are using squid server. Facebook and gmail are using with https but I got it. So security is a simple joke . We can give maximum protection but that's not least .

James
  • 1