RE: How safe are those "Free" Anonymous SSL,HTTPS Proxies?

["Burton M. Strauss III" <BStrauss () acm org>]

Well, how much do you trust the provider?

The ssl encrypted channel runs from your host -> the provider.

What happens after that is up to them.  But at a minimum, the unencrypted
data will exist on the proxy machine:

                     +-------PROXY-------+
  You (encrypt)------>(decrypt) (encrypt)------>(decrypt)destination
                     +-------PROXY-------+

What guarantee do you have that the 2nd ssl session even exists?
And/or that the proxy is really directing you to the endpoint you asked
for - I can see how something like this would be wonderful for pfishing
attempts.

-----Burton


> -----Original Message-----
> From: Jon S. [mailto:supercool9000 () hotmail com]
> Sent: Tuesday, April 20, 2004 2:46 PM
> To: security-basics () securityfocus com
> Subject: How safe are those "Free" Anonymous SSL,HTTPS Proxies?
>
>
>
> How safe is it for someone to use one of those Anonymous SSL, HTTP proxy
> servers
> that can be found from the internet (after searching for "free proxy
> servers")?
>
> 1) Is it just plain stupid to use the "free" Anonymous proxy
> servers that we
> found from the net,
> when we're thinking of securing the communication via "SSL, HTTPS"?
>
> Or would you say "it's still better than revealing your source IP
> and jeapordizing your anonymity, use it if you can".
>
> 2) Is any part of "Anonymous SSL,HTTPS Proxy" ever sent unencrypted (or
> otherwise abnormally vulnerable form), aside from header packets?
>
> 3) How difficult is it for someone to intercept AND decipher the
> messages,
> (in terms of average time assuming typical ssl/https encryption strength)?
>
> Thanks in advance...
>
> _________________________________________________________________
> FREE pop-up blocking with the new MSN Toolbar – get it now!
> http://toolbar.msn.com/go/onm00200415ave/direct/01/
>
>
> ------------------------------------------------------------------
> ---------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get
> $545 off
> any course! All of our class sizes are guaranteed to be 10
> students or less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab.
> Master the skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ------------------------------------------------------------------
> ----------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------