How Unsafe is it to Log in to a Website Using Anonymous Web Proxy?

Let us say that I want to access some sites blocked by the authority for any reason what-so-ever.

I understand that these sites can be accessed, sometimes with limited functionality, using anonymous proxies. But when you access sites like Google Sites, you need to provide your user name and password. Sometimes to upload your files, sometimes for read access only.

When I login to a site directly, my user name and password are sent encrypted over the network provided I access an https site. However, when I login via proxy, my user name and password may be sent encrypted to the proxy site over the network, but the proxy site will have to submit it on my behalf and so it will have them in hand in clear text.

This is where I start feeling unsafe. Can the proxy site owner use my user name and password for unfair purposes?

Please point out whether my conjecture is incorrect.

Any tips or suggestions will also be welcome.

Masroor

Posted 2013-04-26T08:29:50.920

Reputation: 1 097

Answers

If you can generate an end-to-end session then you gain security through the proxy not being able to intercept your communications, but if your session terminates at the proxy and they connect on your behalf to the website, the proxy owner could do whatever they want with that information.

This is why sites which require higher security (eg online banking) try to set up an SSL connection from the server to your desktop - and do their best to detect or prevent MITM attacks.

If you don't control the proxy, you need to work out how much you can trust it - and this will depend on the value of what you are protecting.

We have a lot of questions on this subject on Security Stack Exchange - come on over for some guidance.

Rory Alsop

Posted 2013-04-26T08:29:50.920

Reputation: 3 168

Yes, your conjecture is correct. The web proxy owner may know the username/password you sent by recording all the traffic data. Please don't send sensitive information by web proxy.

It will be more safe if you use a IP:Port proxy. FYI, Is Proxy Safe to Use? http://www.change-ip.net/proxy-safe/

Terence

Posted 2013-04-26T08:29:50.920

Reputation: 41

If you're really serious about security and you don't mind the inconvenience, you could use TOR. Just make sure that you're also using https, since the last step (exit node to target site) is unencrypted otherwise.

David X

Posted 2013-04-26T08:29:50.920

Reputation: 464

Would you mind explaining a little bit how the use of TOR and https will save me? As I see it, the proxy server needs to have my user id and password in clear text in order to submit it to the target site where access is provided only after log in. I am concerned about the honesty or rather lack of it, of the proxy server owner. – Masroor – 2013-05-06T11:23:51.007

1The proxy server doesn't have to have your user id and password in plaintext to submit it, it just has to have some https stream that the target site will decrypt into your user id and password. Since the proxy doesn't know the key you used to generate the https, it has no way of knowing your user id or password. Tor prevents a: the local censors from knowing you connected to the target site and b: the target site from knowing what ip address you connected from. – David X – 2013-05-08T07:52:52.697

Thanks a lot. Just to make sure, your comment is equally applicable to those online anonymous proxies as well? Or TOR protects me only when I use the http proxies I set in my browser? – Masroor – 2013-05-08T13:18:36.217

1Only if the proxy is correctly designed (a tcp forwarding proxy). If the url looks like https://maliciousproxy.net/?u=https://example.com/page, https is close to irrelevant since your https connection is to the proxy, not the target site. If you use (firefox example) edit>prefs>advanced>network>settings proxy configuration, you might have a secure connection, although there are other possible security holes. (I suppose I should clarify that I meant 'really' as 'extremely' rather than just 'actually'.) – David X – 2013-05-09T23:50:21.270