Is HTTPS still secure if using proxy ?

Hi, recently I started doing online shopping & banking at home and at work.

My question - if I'm using a web proxy(for whatever reason) that supports HTTPS, are my transactions still secure from prying eyes? For example, could the proxy obtain my credit card details?

Assuming of course the SSL cert of the site is valid and the lock icon on my browser is visible at all times.
Thanks for any comments.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I would say yes, to a point.

The Web Proxy server should be acting only as a go-between, sending your encrypted packets forward to the destination server and accepting same and sending them back to you.  When that lock appears, you should have an encrypted session with the destination server, not the proxy server.  Once that encryption has taken place, the proxy server can't read the contents any more than anyone else on the net can.  When you enter your credit card information, it will travel that encrypted link to the intended server and be safe.

That having been said, if the person who owns the proxy server chooses to, he could set up a "man in the middle" attack.  He could arrange it so that you set up the encrypted session with the proxy server instead of the server you intended.  Then the proxy server would set up the connection between itself and your intended server.  It would pass the pages back to you as required.  When you entered your credit card information, it would first go to the proxy server.  The proxy would read it and pass it off to the intended server.  You would complete your transaction, but the proxy would have seen the whole thing and been able to record it.  The SSL cert should prevent this from happening, provided you understand the warning message it will put up and provided that someone hasn't monkeyed with your computer.  If someone is 'pretending' to be your e-commerce site and tries to throw up a cert for someone else, you should get a warning message about it.  It isn't easy to circumvent something like that without access to your computer.

All things considered, I'd be pretty shocked if you ran across someone who was both able and interested in setting something like that up.  If you trust the encryption and security of the e-commerce site you are dealing with, I would say that the proxy server will present a very low risk when added to the equation.

You can, however, check to see if you are the victim of a man in the middle attack.  When you connect to the credit card info page, right click on the page and select 'properties' (for IE 6).  It will show you exactly what site you are connecting to and what type of encryption you are using.  If it lists anything other than the site you were expecting, do not send your information.

Good luck!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
amorusoAuthor Commented:
Thanks robing for your answer! It was very easy to understand, although reading about the "man-in-the-middle" attack did make me nervous for a moment. At work, I have no choice but to use company's web proxy which I believe shouldn't present much of a risk. But generally I'd be a little more cautious about public open proxies.
Hi just to let you know it is secure, only SSH1 is subject to man-in-the-middle attack, HTTPS servers these days use SSH2, which thing a little bit of complex maths each client & server obtain a public & private key for encryping & decrypting, these r not sent so any spying eyes dont stand a change unless they want to crach the 128bit encryption which would take until the end of time. so you are safe :O)

if you would like to read a little more into SSH (the excryption used with htmls) you can read it up here

Hope i was some help

yup, https is secure even connected to the proxy, because it's encrypted all data in and out
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.