Is it possible to get the username and password we enter into sites like facebook using proxy server?
The scenario is like this :
1.My laptop is connected to a network.
2.It is configured to use a proxy server to connect to Internet.
3.I enter my credentials into secure sites.
Is it possible for others to get credentials in the above scenario ?
If the URL uses SSL (i.e. is https://) and use the proxy only for transport, then no, the proxy sees only encrypted data and cannot peek at it. (Unless the proxy tries to feed you with a forged certificate, which requires some prior installation of a collaborating CA in your machine; this may happen in work environments, when your enemy is the local sysadmin.)
If the connection, as it exits your machine, is unprotected, then yes, by definition the proxy sees every byte which comes and goes. This is true for all proxy technologies.
The situation can be made more complex if the proxy itself asks for some authentication, and/or if the proxy negotiates some SSL between itself and the target server. For the technologically unwary, it can become a bit hard to know where the password you type actually goes. If:
www.facebook.com, and not something like www.facebook.com.sdjygsdb.com);Then:
Otherwise:
It depends.
There are two main types of proxy: HTTP and SOCKS.
An HTTP proxy can, as its name suggests, only really deal with HTTP traffic. You send it a request and it forwards it to the target page, and proxies the result back to you. All of this traffic is sent in plain-text, so it's possible to sniff and alter it. It is, however, possible to perform a HTTP CONNECT over some of these proxies, which turns the HTTP traffic into a TCP tunnel. From there, SSL can be used on that tunnel, allowing for protection against most types of sniffing attacks. Another type of HTTP proxy called an HTTPS proxy functions identically, except the entire protocol operates over HTTPS instead.
On the other side of things is SOCKS, which acts as nothing more than a tunnel. A message is sent to the proxy to create a connection to a target server, and the proxy then forwards everything between you and the server. There are three main versions of SOCKS in use today: SOCKS4, SOCKS4a, and SOCKS5. The SOCKS4a specs added the ability to pass a domain name as a target parameter, instead of an IP address, such that the proxy would perform the DNS lookup instead of the client. This helped fix problems where the client was unable to perform a DNS lookup itself, and also helped improve privacy, since it was previously possible to sniff the DNS lookup traffic from the client and identify the sites it was visiting. SOCKS5 further expanded the protocol to include IPv6 and UDP support, as well as better authentication. However, the actual SOCKS traffic is plaintext, and the client must provide its own transport security within the tunnelled connection.
In general, you should consider the use of a proxy to be at most as safe as sending the traffic yourself. You will still be sending plaintext information to the proxy (unless it's a HTTPS proxy) and that can be sniffed. Once the tunnel is created, the traffic can still be sniffed unless you're talking to the target server via HTTPS or a similar secure protocol.
An interesting case occurs when the operator of the proxy is malicious. Any plaintext traffic can be sniffed and stolen regardless, but a malicious proxy can perform active attacks. For example, it might inject content into your traffic, or redirect you to other servers. If you use HTTPS, then your privacy and safety are increased, but it may be possible for the attacker to "downgrade" or bypass the SSL by interfering with the SSL handshake. It may even return a forged certificate to you, and claim to be the target server, whilst secretly decrypting all of your traffic.
To put it very simply: proxies can be dangerous, and you should only use proxies that you trust.
There are two main cases: if you connect to http://facebook.com, or if you connect to https://facebook.com (HTTP vs HTTPS). Facebook redirects you to HTTPS by default, by the way.
With HTTP, all communication is in plaintext. Anyone who controls some bit of Internet infrastructure between you and the server can eavesdrop on the communication and obtain your credentials. It doesn't matter whether you've specified a proxy or not: a proxy can be transparent, and even if there's no proxy, someone could still be listening.
In practice, ISPs don't spy on their customers. Employers do sometimes spy on their employees. Also, if you're using a wifi connection, other local wifi users may be able to spy on you.
By the way, your credentials aren't just your username and password. Once you've established the connection, your session is identified by a cookie; if the attacker gets your cookie, they can pass for you (at least until you close the connection).
With HTTPS, the basic answer is no, your credentials are safe, and your connection is safe. You can know that your connection is safe if all these conditions are met:
facebook.com/ or whatever site you're connecting to (if you see something different like facebook.com.evilhackers.com/…, you're securely connected to the wrong site).That last point is relevant on company-issued computers: some employers install their own certification authority, so that your browser accepts any connection as genuine if it's made with the company proxy. Depending on which country you live in, this may or may not be legal, and they may or may not be required to inform you (in small print in the 100-page-long IT policy).
Assuming HTTPS is used safely, a proxy can only relay encrypted bytes back and forth. It knows which site you're connecting to (it has to know where to send the packets), but it cannot know the full URLs you're accessing, the content of the pages, or the data you're submitting in forms.
This is very possible when using unencrypted websites, but significantly harder with SSL.
With SSL, it would be possible for a Man In The Middle (MITM) attack to reveal that data. This would require the proxy to negotiate the certificate with the website, and then negotiate it own with your browser, therefor the data in encrypted between yourself and the proxy, decrypted, and then reencrypted to be sent to facebook.
Make sure when you receive a certificate error from an SSL site, you don't automatically add an exception without knowing where it came from.
Adding to the other answers
Its possible by using ssl strippers and some other sniffing tools. I have tested this case in my network using some ssl stripping tools. I have go passwords and usernames easily.We are using squid server. Facebook and gmail are using with https but I got it. So security is a simple joke . We can give maximum protection but that's not least .
