5

Lets say for example I have to use a public online proxy like https://www.zend2.com to load a PHP webpage controlled by me containing sensitive data over HTTPS.

How would I make sure that the proxy in the middle doesn't have insight in the data without modifying the client (browser), JavaScript and/or additional domain names and servers.

The solution's only goal is to prevent the public proxy attack layer (theoretical).

SilverlightFox
  • 33,698
  • 6
  • 69
  • 185
user52585
  • 51
  • 2
  • Good question but possible duplicate of http://security.stackexchange.com/questions/8145/does-https-prevent-man-in-the-middle-attacks-by-proxy-server – Gudradain Jul 24 '14 at 12:08

2 Answers2

8

When you use a re-webber proxy (a website where you enter a URL and it shows you the content of that url in its own context), using TLS between you and the end-website becomes impossible, even when the proxy would want to provide it.

When you enter https://google.com in the proxy you linked, you get redirected to https://www.zend2.com/vip3.php?u=RyhEPtB1SQ6bFRGMjVSDaC2jhw%3D%3D&b=29. Note that the domain you connect to is https://www.zend2.com. That's the domain you make your TLS handshake with. Anything else would lead to a certificate warning, because your browser expects a valid certificate from www.zend2.com, not from google.com. The proxy then does its own TLS handshake with the destination site, requests the content, decrypts it, COULD look at it, re-encrpyts it for you and sends it to you.

You might also notice that this service performs a man-in-the-middle attack right before your eyes! It adds its own HTML code to each website you load through it, even when you load it through HTTPS. This code includes Javascript, which is executed in the context of the website you load. They could use this for all kinds of XSS attacks when they would want to. The website demostrated that they can and will manipulate any content you access through it, so you should not use it to send or access any confidential information.

To avoid this, do not use a rewebber service. Use a proxy server properly by entering it into the connection settings for your web browser. In that case your web browser is aware that it is using a proxy server and will expect a TLS certificate from the actual destination, not from the proxy. Any eavesdropping or manipulation by the proxy become impossible in that case.

Philipp
  • 49,017
  • 8
  • 127
  • 158
0

Aside from possible flaws with SSL, you can make sure the certificate belongs to the site you're visiting. If SSL is secure, then your data should be secure as well. I'm not too certain on the feasibility of faking certificates, but generally what I've read is if it's signed by the proper authority then it's real. I would do some research first, although I think it's unlikely your data would be intercepted assuming SSL is secure, although I imagine there is a way out there to fake a certificate (without a warning showing up -- definitely make sure the certificate is trusted).

JVE999
  • 131
  • 5
  • can't tunnel ssl trough public unsecure http(S) proxy right? – user52585 Jul 24 '14 at 11:37
  • I don't see why you couldn't. It depends on the proxy rules, but you should be able to. If the proxy doesn't encrypt the data, that just means if you're sending and receiving unencrypted data, it will remain unencrypted, but if you're sending encrypted data, it will stay encrypted. – JVE999 Jul 24 '14 at 18:20