1

I'm trying to troubleshoot an issue for a user of my service https://jsonip.com.

Last week I enabled forcing 301 redirects for all http to https connections.

The user I'm trying to help now was relying on his internal IP being added to the x-forward-for header by his corporate proxy. Now that all connections are being forced to https, it only provides his publicly available IP.

I'm thinking that his corp proxy isn't inserting its own certificate in https connections, so therefore can't inspect the connection and insert/update the x-forward-for header with the proxy IPs.

If so, this is good for the employees' individual privacy (boss can't intercept web traffic) but otherwise is interfering with how the user was using jsonip.com.

Can anyone confirm/deny if my supposition makes sense?

Geuis
  • 625
  • 3
  • 8
  • 17
  • 2
    Seems plausible enough. – Zoredache Jan 03 '17 at 23:06
  • You can't send back to the user any information that wasn't sent to you. So the user is kind of screwed... – Michael Hampton Jan 03 '17 at 23:11
  • BTW, why have a https redirect on a site that only displays/returns the IP address? The source IP address is literally part of the IP packet. You aren't really protecting anything. By the time you receive a request to perform a redirect everything that attacker could learn, has already been sent in the clear. – Zoredache Jan 03 '17 at 23:17
  • @Zoredache Technically you're right. However the service is used in both server and browser environments. Major browsers are moving to https by default and will throw errors/warnings for unsecured sites. So its not about protecting anything, but to be user/browser friendly. – Geuis Jan 03 '17 at 23:21
  • Which browser is giving an error? Is this happening when someone has used it within their javascript code? They should probably be using `//jsonip.com` in their code, ie, they shouldn't specifying the protocol. – Zoredache Jan 03 '17 at 23:25
  • 2
    @Geuis Ensuring integrity may be of value regardless of the privacy aspect, though. I suppose that all depends on what they are going to use the IP address for and how bad it would be if a MITM changed the response. – Håkan Lindqvist Jan 04 '17 at 00:28

1 Answers1

1

When a browser is using a proxy will use CONNECT method to create a direct connection towards remote website. This connection is using SSL/TLS protocol and the browser will communicate directly and without any changes with remote website. The request headers and response headers or any part of communication are not tampered by the proxy.

Internal IP addresses are considered as sensitive information and they should not be send by the proxy in the first place. For security reasons, the client that is complaining should use an local service similar to what your server offer.

On the other hand I do not see why you should not offer the service unencrypted if there are no authentication or other sensitive data that your service receive or send.

The only way to be able to have a proxy that is decrypting and changing traffic is a proxy that creates on demand certificates signed by a CA trusted by the web browser. I expect to see this things in very controlled environments. See this article and the technical counterpart for an example of such proxy.

Mircea Vutcovici
  • 16,706
  • 4
  • 52
  • 80