Is HTTPS still secure if using proxy ?

Posted on 2003-11-08
Last Modified: 2010-04-11
Hi, recently I started doing online shopping & banking at home and at work.

My question - if I'm using a web proxy(for whatever reason) that supports HTTPS, are my transactions still secure from prying eyes? For example, could the proxy obtain my credit card details?

Assuming of course the SSL cert of the site is valid and the lock icon on my browser is visible at all times.
Thanks for any comments.
Question by:amoruso
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

Robing66066 earned 200 total points
ID: 9709256
I would say yes, to a point.

The Web Proxy server should be acting only as a go-between, sending your encrypted packets forward to the destination server and accepting same and sending them back to you.  When that lock appears, you should have an encrypted session with the destination server, not the proxy server.  Once that encryption has taken place, the proxy server can't read the contents any more than anyone else on the net can.  When you enter your credit card information, it will travel that encrypted link to the intended server and be safe.

That having been said, if the person who owns the proxy server chooses to, he could set up a "man in the middle" attack.  He could arrange it so that you set up the encrypted session with the proxy server instead of the server you intended.  Then the proxy server would set up the connection between itself and your intended server.  It would pass the pages back to you as required.  When you entered your credit card information, it would first go to the proxy server.  The proxy would read it and pass it off to the intended server.  You would complete your transaction, but the proxy would have seen the whole thing and been able to record it.  The SSL cert should prevent this from happening, provided you understand the warning message it will put up and provided that someone hasn't monkeyed with your computer.  If someone is 'pretending' to be your e-commerce site and tries to throw up a cert for someone else, you should get a warning message about it.  It isn't easy to circumvent something like that without access to your computer.

All things considered, I'd be pretty shocked if you ran across someone who was both able and interested in setting something like that up.  If you trust the encryption and security of the e-commerce site you are dealing with, I would say that the proxy server will present a very low risk when added to the equation.

You can, however, check to see if you are the victim of a man in the middle attack.  When you connect to the credit card info page, right click on the page and select 'properties' (for IE 6).  It will show you exactly what site you are connecting to and what type of encryption you are using.  If it lists anything other than the site you were expecting, do not send your information.

Good luck!

Author Comment

ID: 9709371
Thanks robing for your answer! It was very easy to understand, although reading about the "man-in-the-middle" attack did make me nervous for a moment. At work, I have no choice but to use company's web proxy which I believe shouldn't present much of a risk. But generally I'd be a little more cautious about public open proxies.

Expert Comment

ID: 9716938
Hi just to let you know it is secure, only SSH1 is subject to man-in-the-middle attack, HTTPS servers these days use SSH2, which thing a little bit of complex maths each client & server obtain a public & private key for encryping & decrypting, these r not sent so any spying eyes dont stand a change unless they want to crach the 128bit encryption which would take until the end of time. so you are safe :O)

if you would like to read a little more into SSH (the excryption used with htmls) you can read it up here

Hope i was some help


Expert Comment

ID: 9746053
yup, https is secure even connected to the proxy, because it's encrypted all data in and out

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Smart phones, smart watches, Bluetooth-connected devices—the IoT is all around us. In this article, we take a look at the security implications of our highly connected world.
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question