How secure is HTTPs in combination with anonymiser proxy

Networking/Security Forums -> Anonymity // Privacy // Spam

Author: MohaShaf PostPosted: Mon Apr 20, 2009 2:41 am    Post subject: How secure is HTTPs in combination with anonymiser proxy
    ----
I am using proxy servers like kproxy in combination with https (https://www.kproxy.com) for anonymous browsing.I would like to know if my ISP or any intruder can intercept to view my requests/responses (both the URL which i am accessing and the request/response content)

In general i understand that ssl is used for the server identification and for encryption. But is this the case everytime or sometimes it is used only for server identification and not for encryption.

Any help would be appreciated. Thanks in advance for your time

Author: MohaShaf PostPosted: Fri Apr 24, 2009 7:02 am    Post subject:
    ----
Can someone help me with the question?

Author: Fire AntLocation: London PostPosted: Fri Apr 24, 2009 10:39 am    Post subject:
    ----
Quote:
I would like to know if my ISP or any intruder can intercept to view my requests/responses
They can intercept your requests and responses but they cannot read them as they are encrypted.

Quote:
But is this the case everytime or sometimes it is used only for server identification and not for encryption.
This depends on a number of factors. Normally an SSL certificate would have an attribute called Key Usage which will state something like "Signing" and "Key Encipherment", this tells me what the certificate can be used for. The server identification is determined by comparing the CN in the Subject attribute against the URL.

You actual encrypted connection handled via a handshake, it is entirely possible for a NULL cipher to be used. This setting is determined byt eh browser asking the server what ciphers it supports and then using one.

Is i like likely that an HTTPS connection is not encrypted, no but it is technically possible to do.

I wouldn't rely on an encrypted connection to an anonymiser to protect you though. There are two methods that could be used to look at what you are doing:

1 - Key logger or trojan on your computer
2 - Logs on the anonymous proxy

Both of these are used by law enforcement and intelligence agencies. Recent a kiddy porn collector was captured because the logs from an anonymous proxy were subpoenaed.

Also, eve though you might be using an anonymous proxy but you may also leave a wealth of other data laying around on your system which points to your spurious activities.

I have to ask what person uses an anonymous proxy. Someone who doesn't want anyone knowing what they are doing e.g. something dodgy?

Matt_s

Author: MohaShaf PostPosted: Mon May 04, 2009 5:11 pm    Post subject:
    ----
Thank you very much Matt for your detailed explanation. Very Happy I missed out one aspect in my original question.
1) From the answer, I could guess that using an anonymiser without SSL is not going to help the user with anonymity and privacy (from the ISP for example). If using an anonymiser website without SSL encryption is not going to give someone any privacy or anonymity, whats the purpose/benefit in using an anonymiser website without SSL ?
2) Can i use a tool like wireshark to check if my current SSL session in the browser is encrypted or not?

matt_s wrote:


I have to ask what person uses an anonymous proxy. Someone who doesn't want anyone knowing what they are doing e.g. something dodgy?



I would say that it is incorrect to assume that a person using anonymiser would be doing it for illegal purposes. Everyone likes privacy. I do not want anybody else to know more than what i wish to let them know what I am doing with my computer, internet and inside my bedroom.

Author: Fire AntLocation: London PostPosted: Mon May 04, 2009 7:53 pm    Post subject:
    ----
MohaShaf,

In response to your post:

Quote:
If using an anonymiser website without SSL encryption is not going to give someone any privacy or anonymity, whats the purpose/benefit in using an anonymiser website without SSL ?
Absolutely correct, its like robing a bank with gloves but no balaclava. Wink

Quote:
Can i use a tool like wireshark to check if my current SSL session in the browser is encrypted or not?
You would use wireshark, tcpdump. I know that in Firefox you can see what encryption algorithm and key size is being used.

Quote:
I would say that it is incorrect to assume that a person using anonymiser would be doing it for illegal purposes. Everyone likes privacy. I do not want anybody else to know more than what i wish to let them know what I am doing with my computer, internet and inside my bedroom.
Imagine you got in a taxi and the taxi driver demanded in doing illegal u-turns, speeding and handbrake maneuvers during your fare, he claimed that he might be being followed? Would you get in this cab? Would you report this person to the police? I understand that everyone needs their privacy but there is such a thing as suspicious amount of privacy.

Matt_s

Author: MohaShaf PostPosted: Tue May 05, 2009 2:55 pm    Post subject:
    ----
matt_s wrote:
Absolutely correct, its like robing a bank with gloves but no balaclava. Wink

Matt, Thanks a lot for making it clear. An enlightening example Idea

matt_s wrote:
You would use wireshark, tcpdump. I know that in Firefox you can see what encryption algorithm and key size is being used.

Thanks again. Smile

matt_s wrote:
Imagine you got in a taxi and the taxi driver demanded in doing illegal u-turns, speeding and handbrake maneuvers during your fare, he claimed that he might be being followed? Would you get in this cab? Would you report this person to the police? I understand that everyone needs their privacy but there is such a thing as suspicious amount of privacy.

When i see someone do something illegal and if i feel that its serious I am definitely going to do something about it. Also I will complain against the driver just because he causes inconvenience to the public and not because I suspect any ulterior motives behind his actions. Am sure using anonymisor doesnot cause any inconvenience to anybody directly so long as it is not used for evil purposes. I would not suspect a snailmail envelop to contain something fishy or illegal just because it is sealed properly. Privacy is a very normal and genuine expectation. And I will not compromise on that or be lenient just because i am using internet. I believe this is a widely accepted view. I would like to point to a similar view expressed by Tim Bernars Lee, the inventor of WWW in one of his interviews to BBC Arrow http://news.bbc.co.uk/1/hi/technology/7299875.stm If anonymisors are so evil why have a seperate forum for it?

Author: Fire AntLocation: London PostPosted: Tue May 05, 2009 4:06 pm    Post subject:
    ----
MohaShaf,

A very good retort.

Quote:
If anonymisors are so evil why have a seperate forum for it?
Its not anonymous proxies per say, just the people that use them.

Quote:
I would not suspect a snailmail envelop to contain something fishy or illegal just because it is sealed properly.
A thoughtful analogy and I see your point with this.

I expect an amount of privacy however I don't feel the need to go out of my way to get privacy. As a security professional, I know that 9 out of 10 (I have not taken a survey to get these stats by the way, just more like a guess Wink ) if a person is using an anonymous proxy its because they are doing something they shouldn't either because of a law or a contract e.g. employment contract states no downloading porn.

I can however think of scenarios where an anonymous proxy might be used legitimately such as looking at what your web competitor is doing without arousing suspicion.

Happy surfing. Laughing

Matt_s

Author: Beverly Roberts PostPosted: Fri Nov 27, 2009 8:55 pm    Post subject:
    ----
Another example of good guys using anonymous proxy would be people in countries with oppressive governments. They need privacy and anonymous proxy to ensure that they are not prosecuted based on what they read on the web.

Beverly Roberts

Author: MohaShaf PostPosted: Thu Dec 03, 2009 2:04 pm    Post subject:
    ----
matt_s wrote:

Its not anonymous proxies per say, just the people that use them.

Its not the anonymous proxies that use this forum but its the people who use anonymous proxies that use this forum.

matt_s wrote:
I expect an amount of privacy however I don't feel the need to go out of my way to get privacy.

I think privacy is a matter of personal choice and I wouldn't like another person suggest me on the level of privacy i need. Laughing

Author: GuidoVanLocation: London PostPosted: Wed Jan 20, 2010 5:28 pm    Post subject: Re: How secure is HTTPs in combination with anonymiser proxy
    ----
Anonymizers sucks, you should know about it. kproxy stores a suspicious cookie, see http://whoer.net/ext via kproxy.

So install any system (Windows XP, Linux,..) in VirtualBox, VMWare, Parallels. Configure local DNS servers for this box, setup language for system, use VPN + socks via Proxifier (or SocksCap, FreeCap,..), turn off Java and plugins for browser. And it will be more secure. Smile

Free socks you can find in http://sockslist.net or http://my-proxy.com
May be you want use high anonymous http proxies: http://proxyhttp.net and http://proxy-list.org instead of socks.

Author: free1proxy PostPosted: Fri Jul 09, 2010 11:31 pm    Post subject:
    ----
you can find Free socks proxy in Free Proxy List or IP Proxy

Author: rakot PostPosted: Fri Jul 16, 2010 8:21 am    Post subject:
    ----
free1proxy wrote:
you can find Free socks proxy in Free Proxy List or IP Proxy


in fact, no free proxy can give you a really high level of anonymity, it are not as reliable, as in need. And save user logs - is too dangerous to believe that such free services can give you absolute privacy in the internet



Networking/Security Forums -> Anonymity // Privacy // Spam


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group