2

If I use a browser through a proxy-server over a secure connection (i.e. the proxy is HTTPS) - does that mean that everything is encrypted, or just the page returned from the site?

And who does the DNS lookup? Does the browser do it through my ISP (in which case the url is known to them) or does it delegate that to the proxy?

Assume Firefox, if the answer depends on that.

ispiro
  • 773
  • 1
  • 7
  • 18
  • Similar question here: http://security.stackexchange.com/questions/61334/does-an-https-proxy-encrypt-traffic-between-proxy-client-and-server-for-http-req – StackzOfZtuff May 14 '15 at 20:21

1 Answers1

5

The full URL (hostname and path) is only inside the HTTP protocol and is thus encrypted by the TLS layer. Also, any HTTP headers and payload of request and response are end-to-end encrypted. But, the hostname part of the URL is usually in the CONNECT request when using a non-transparent HTTP proxy, unless the client itself makes the DNS lookup. With a SOCKS proxy the situation is similar, i.e. the client provides the target IP (SOCKS4) or might provide the hostname (SOCKS5). Additionally the hostname is usually included in the TLS handshake too in clear (SNI), no matter if using a proxy or not.

This means it is known to the provider of the proxy (maybe the ISP) which host your are accessing but not which page on this host. Also any hop after the proxy knows at least the target IP because this is needed for routing. And if SNI is used (i.e. in most cases) any hop can also find out the targets host name.

In short: the goal of TLS is not to keep privacy or to allow anonymous connections. The goal is to protect the data transferred between client and server against sniffing and modification.

And who does the DNS lookup?

With a SOCKS4 proxy it must be done by the client (browser). With a SOCKS5 proxy or a HTTP proxy it can and will usually be done by the proxy since these protocols can transport the hostname instead of the IP address.

Edit: I was not aware that recent versions of Firefox and Chrome actually support connecting to a HTTP proxy with HTTPS. In this case only the connection to the proxy is visible to any hop before the proxy and thus the URL including the hostname and IP address is fully protected on the path to the proxy. On and after the proxy this additionally TLS protection is removed and thus the hostname and target IP address are visible again as described above. I would assume that the browser sends the hostname and not the IP address to the proxy (because this is done with a normal HTTP proxy too), so the DNS lookup will only be done at the proxy.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • `ISP at least would know the target IP address, because this is needed to route your data to the target` - I don't understand. Are you referring to the proxy's IP? If not - why would the ISP need to know the IP? – ispiro May 14 '15 at 20:21
  • It looks like you're answering about a regular TLS connection. That's not my question. I'm asking about when browsing is done through a proxy-server. – ispiro May 14 '15 at 20:22
  • Since the data must somehow reach the target and routing is done by IP address the IP address need to be known. And no, I'm talking about HTTP proxy connections (CONNECT method) where either the targets hostname is contained in the request and the proxy resolves it to get the target IP or the targets IP is included in the request. – Steffen Ullrich May 14 '15 at 20:23
  • It seems like a confusion point is _who_ the TLS connection is with. If you only have a TLS connection with the server (and not with the proxy), then the server's address or hostname needs to be in the clear. But if you have a secure connection to the proxy (aka vpn?) then it would not. Is that correct? – Mike Ounsworth May 14 '15 at 20:33
  • 1
    The idea of TLS is to have an end-to-end encryption with the target server. The proxy only creates a tunnel (i.e. forward TCP) but does not affect the end-to-end encryption itself. Having TLS only to the proxy is usually not the case, but you might have TLS interception at the proxy in which case you get one TLS connection between client and proxy and another one between proxy and target. – Steffen Ullrich May 14 '15 at 20:35
  • I've edited the question to make it clear that I'm asking about a case where the connection _to the proxy_ is secure. – ispiro May 14 '15 at 21:09
  • Are you sure that Firefox supports speaking to a proxy with TLS? I doubt it. Did you try? I'm also not aware of any proxy implementation which supports speaking TLS to it. – Steffen Ullrich May 14 '15 at 21:13
  • @SteffenUllrich a) Thanks. b) According to [this answer](http://security.stackexchange.com/a/23584/12012) it does. (See "Supported in FF 33+" on that answer.) (I haven't used a proxy yet. This is a preliminary question.) c) If you don't add the `@ispiro` before your comment, I don't get notified of it. – ispiro May 14 '15 at 21:19
  • @ispiro: I was not aware of this functionality. But see my edited response. – Steffen Ullrich May 14 '15 at 21:27