• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

How secure is HTTPs in combination with anonymiser proxy

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Anonymity // Privacy // Spam

View previous topic :: View next topic  
Author Message
MohaShaf
Just Arrived
Just Arrived


Joined: 19 Apr 2009
Posts: 0


Offline

PostPosted: Mon Apr 20, 2009 2:41 am    Post subject: How secure is HTTPs in combination with anonymiser proxy Reply with quote

I am using proxy servers like kproxy in combination with https (https://www.kproxy.com) for anonymous browsing.I would like to know if my ISP or any intruder can intercept to view my requests/responses (both the URL which i am accessing and the request/response content)

In general i understand that ssl is used for the server identification and for encryption. But is this the case everytime or sometimes it is used only for server identification and not for encryption.

Any help would be appreciated. Thanks in advance for your time
Back to top
View user's profile Send private message
MohaShaf
Just Arrived
Just Arrived


Joined: 19 Apr 2009
Posts: 0


Offline

PostPosted: Fri Apr 24, 2009 7:02 am    Post subject: Reply with quote

Can someone help me with the question?
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Fri Apr 24, 2009 10:39 am    Post subject: Reply with quote

Quote:
I would like to know if my ISP or any intruder can intercept to view my requests/responses
They can intercept your requests and responses but they cannot read them as they are encrypted.

Quote:
But is this the case everytime or sometimes it is used only for server identification and not for encryption.
This depends on a number of factors. Normally an SSL certificate would have an attribute called Key Usage which will state something like "Signing" and "Key Encipherment", this tells me what the certificate can be used for. The server identification is determined by comparing the CN in the Subject attribute against the URL.

You actual encrypted connection handled via a handshake, it is entirely possible for a NULL cipher to be used. This setting is determined byt eh browser asking the server what ciphers it supports and then using one.

Is i like likely that an HTTPS connection is not encrypted, no but it is technically possible to do.

I wouldn't rely on an encrypted connection to an anonymiser to protect you though. There are two methods that could be used to look at what you are doing:

1 - Key logger or trojan on your computer
2 - Logs on the anonymous proxy

Both of these are used by law enforcement and intelligence agencies. Recent a kiddy porn collector was captured because the logs from an anonymous proxy were subpoenaed.

Also, eve though you might be using an anonymous proxy but you may also leave a wealth of other data laying around on your system which points to your spurious activities.

I have to ask what person uses an anonymous proxy. Someone who doesn't want anyone knowing what they are doing e.g. something dodgy?

Matt_s
Back to top
View user's profile Send private message
MohaShaf
Just Arrived
Just Arrived


Joined: 19 Apr 2009
Posts: 0


Offline

PostPosted: Mon May 04, 2009 5:11 pm    Post subject: Reply with quote

Thank you very much Matt for your detailed explanation. Very Happy I missed out one aspect in my original question.
1) From the answer, I could guess that using an anonymiser without SSL is not going to help the user with anonymity and privacy (from the ISP for example). If using an anonymiser website without SSL encryption is not going to give someone any privacy or anonymity, whats the purpose/benefit in using an anonymiser website without SSL ?
2) Can i use a tool like wireshark to check if my current SSL session in the browser is encrypted or not?

matt_s wrote:


I have to ask what person uses an anonymous proxy. Someone who doesn't want anyone knowing what they are doing e.g. something dodgy?



I would say that it is incorrect to assume that a person using anonymiser would be doing it for illegal purposes. Everyone likes privacy. I do not want anybody else to know more than what i wish to let them know what I am doing with my computer, internet and inside my bedroom.
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Mon May 04, 2009 7:53 pm    Post subject: Reply with quote

MohaShaf,

In response to your post:

Quote:
If using an anonymiser website without SSL encryption is not going to give someone any privacy or anonymity, whats the purpose/benefit in using an anonymiser website without SSL ?
Absolutely correct, its like robing a bank with gloves but no balaclava. Wink

Quote:
Can i use a tool like wireshark to check if my current SSL session in the browser is encrypted or not?
You would use wireshark, tcpdump. I know that in Firefox you can see what encryption algorithm and key size is being used.

Quote:
I would say that it is incorrect to assume that a person using anonymiser would be doing it for illegal purposes. Everyone likes privacy. I do not want anybody else to know more than what i wish to let them know what I am doing with my computer, internet and inside my bedroom.
Imagine you got in a taxi and the taxi driver demanded in doing illegal u-turns, speeding and handbrake maneuvers during your fare, he claimed that he might be being followed? Would you get in this cab? Would you report this person to the police? I understand that everyone needs their privacy but there is such a thing as suspicious amount of privacy.

Matt_s
Back to top
View user's profile Send private message
MohaShaf
Just Arrived
Just Arrived


Joined: 19 Apr 2009
Posts: 0


Offline

PostPosted: Tue May 05, 2009 2:55 pm    Post subject: Reply with quote

matt_s wrote:
Absolutely correct, its like robing a bank with gloves but no balaclava. Wink

Matt, Thanks a lot for making it clear. An enlightening example Idea

matt_s wrote:
You would use wireshark, tcpdump. I know that in Firefox you can see what encryption algorithm and key size is being used.

Thanks again. Smile

matt_s wrote:
Imagine you got in a taxi and the taxi driver demanded in doing illegal u-turns, speeding and handbrake maneuvers during your fare, he claimed that he might be being followed? Would you get in this cab? Would you report this person to the police? I understand that everyone needs their privacy but there is such a thing as suspicious amount of privacy.

When i see someone do something illegal and if i feel that its serious I am definitely going to do something about it. Also I will complain against the driver just because he causes inconvenience to the public and not because I suspect any ulterior motives behind his actions. Am sure using anonymisor doesnot cause any inconvenience to anybody directly so long as it is not used for evil purposes. I would not suspect a snailmail envelop to contain something fishy or illegal just because it is sealed properly. Privacy is a very normal and genuine expectation. And I will not compromise on that or be lenient just because i am using internet. I believe this is a widely accepted view. I would like to point to a similar view expressed by Tim Bernars Lee, the inventor of WWW in one of his interviews to BBC Arrow http://news.bbc.co.uk/1/hi/technology/7299875.stm If anonymisors are so evil why have a seperate forum for it?
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Tue May 05, 2009 4:06 pm    Post subject: Reply with quote

MohaShaf,

A very good retort.

Quote:
If anonymisors are so evil why have a seperate forum for it?
Its not anonymous proxies per say, just the people that use them.

Quote:
I would not suspect a snailmail envelop to contain something fishy or illegal just because it is sealed properly.
A thoughtful analogy and I see your point with this.

I expect an amount of privacy however I don't feel the need to go out of my way to get privacy. As a security professional, I know that 9 out of 10 (I have not taken a survey to get these stats by the way, just more like a guess Wink ) if a person is using an anonymous proxy its because they are doing something they shouldn't either because of a law or a contract e.g. employment contract states no downloading porn.

I can however think of scenarios where an anonymous proxy might be used legitimately such as looking at what your web competitor is doing without arousing suspicion.

Happy surfing. Laughing

Matt_s
Back to top
View user's profile Send private message
Beverly Roberts
Just Arrived
Just Arrived


Joined: 27 Nov 2009
Posts: 0


Offline

PostPosted: Fri Nov 27, 2009 8:55 pm    Post subject: Reply with quote

Another example of good guys using anonymous proxy would be people in countries with oppressive governments. They need privacy and anonymous proxy to ensure that they are not prosecuted based on what they read on the web.

Beverly Roberts
Back to top
View user's profile Send private message
MohaShaf
Just Arrived
Just Arrived


Joined: 19 Apr 2009
Posts: 0


Offline

PostPosted: Thu Dec 03, 2009 2:04 pm    Post subject: Reply with quote

matt_s wrote:

Its not anonymous proxies per say, just the people that use them.

Its not the anonymous proxies that use this forum but its the people who use anonymous proxies that use this forum.

matt_s wrote:
I expect an amount of privacy however I don't feel the need to go out of my way to get privacy.

I think privacy is a matter of personal choice and I wouldn't like another person suggest me on the level of privacy i need. Laughing
Back to top
View user's profile Send private message
GuidoVan
Just Arrived
Just Arrived


Joined: 07 Sep 2007
Posts: 0
Location: London

Offline

PostPosted: Wed Jan 20, 2010 5:28 pm    Post subject: Re: How secure is HTTPs in combination with anonymiser proxy Reply with quote

Anonymizers sucks, you should know about it. kproxy stores a suspicious cookie, see http://whoer.net/ext via kproxy.

So install any system (Windows XP, Linux,..) in VirtualBox, VMWare, Parallels. Configure local DNS servers for this box, setup language for system, use VPN + socks via Proxifier (or SocksCap, FreeCap,..), turn off Java and plugins for browser. And it will be more secure. Smile

Free socks you can find in http://sockslist.net or http://my-proxy.com
May be you want use high anonymous http proxies: http://proxyhttp.net and http://proxy-list.org instead of socks.
Back to top
View user's profile Send private message
free1proxy
Just Arrived
Just Arrived


Joined: 09 Jul 2010
Posts: 0


Offline

PostPosted: Fri Jul 09, 2010 11:31 pm    Post subject: Reply with quote

you can find Free socks proxy in Free Proxy List or IP Proxy
Back to top
View user's profile Send private message
rakot
Just Arrived
Just Arrived


Joined: 23 Jun 2010
Posts: 0


Offline

PostPosted: Fri Jul 16, 2010 8:21 am    Post subject: Reply with quote

free1proxy wrote:
you can find Free socks proxy in Free Proxy List or IP Proxy


in fact, no free proxy can give you a really high level of anonymity, it are not as reliable, as in need. And save user logs - is too dangerous to believe that such free services can give you absolute privacy in the internet
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Anonymity // Privacy // Spam All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register