2
Let us say that I want to access some sites blocked by the authority for any reason what-so-ever.
I understand that these sites can be accessed, sometimes with limited functionality, using anonymous proxies. But when you access sites like Google Sites, you need to provide your user name and password. Sometimes to upload your files, sometimes for read access only.
When I login to a site directly, my user name and password are sent encrypted over the network provided I access an https
site. However, when I login via proxy, my user name and password may be sent encrypted to the proxy site over the network, but the proxy site will have to submit it on my behalf and so it will have them in hand in clear text.
This is where I start feeling unsafe. Can the proxy site owner use my user name and password for unfair purposes?
Please point out whether my conjecture is incorrect.
Any tips or suggestions will also be welcome.
Would you mind explaining a little bit how the use of TOR and https will save me? As I see it, the proxy server needs to have my user id and password in clear text in order to submit it to the target site where access is provided only after log in. I am concerned about the honesty or rather lack of it, of the proxy server owner. – Masroor – 2013-05-06T11:23:51.007
1The proxy server doesn't have to have your user id and password in plaintext to submit it, it just has to have some https stream that the target site will decrypt into your user id and password. Since the proxy doesn't know the key you used to generate the https, it has no way of knowing your user id or password. Tor prevents a: the local censors from knowing you connected to the target site and b: the target site from knowing what ip address you connected from. – David X – 2013-05-08T07:52:52.697
Thanks a lot. Just to make sure, your comment is equally applicable to those online anonymous proxies as well? Or TOR protects me only when I use the http proxies I set in my browser? – Masroor – 2013-05-08T13:18:36.217
1Only if the proxy is correctly designed (a tcp forwarding proxy). If the url looks like
https://maliciousproxy.net/?u=https://example.com/page
, https is close to irrelevant since your https connection is to the proxy, not the target site. If you use (firefox example) edit>prefs>advanced>network>settings proxy configuration, you might have a secure connection, although there are other possible security holes. (I suppose I should clarify that I meant 'really' as 'extremely' rather than just 'actually'.) – David X – 2013-05-09T23:50:21.270