Is HTTPS still secure if using proxy ?

Posted on 2003-11-08
Medium Priority
Last Modified: 2010-04-11
Hi, recently I started doing online shopping & banking at home and at work.

My question - if I'm using a web proxy(for whatever reason) that supports HTTPS, are my transactions still secure from prying eyes? For example, could the proxy obtain my credit card details?

Assuming of course the SSL cert of the site is valid and the lock icon on my browser is visible at all times.
Thanks for any comments.
Question by:amoruso
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

Robing66066 earned 800 total points
ID: 9709256
I would say yes, to a point.

The Web Proxy server should be acting only as a go-between, sending your encrypted packets forward to the destination server and accepting same and sending them back to you.  When that lock appears, you should have an encrypted session with the destination server, not the proxy server.  Once that encryption has taken place, the proxy server can't read the contents any more than anyone else on the net can.  When you enter your credit card information, it will travel that encrypted link to the intended server and be safe.

That having been said, if the person who owns the proxy server chooses to, he could set up a "man in the middle" attack.  He could arrange it so that you set up the encrypted session with the proxy server instead of the server you intended.  Then the proxy server would set up the connection between itself and your intended server.  It would pass the pages back to you as required.  When you entered your credit card information, it would first go to the proxy server.  The proxy would read it and pass it off to the intended server.  You would complete your transaction, but the proxy would have seen the whole thing and been able to record it.  The SSL cert should prevent this from happening, provided you understand the warning message it will put up and provided that someone hasn't monkeyed with your computer.  If someone is 'pretending' to be your e-commerce site and tries to throw up a cert for someone else, you should get a warning message about it.  It isn't easy to circumvent something like that without access to your computer.

All things considered, I'd be pretty shocked if you ran across someone who was both able and interested in setting something like that up.  If you trust the encryption and security of the e-commerce site you are dealing with, I would say that the proxy server will present a very low risk when added to the equation.

You can, however, check to see if you are the victim of a man in the middle attack.  When you connect to the credit card info page, right click on the page and select 'properties' (for IE 6).  It will show you exactly what site you are connecting to and what type of encryption you are using.  If it lists anything other than the site you were expecting, do not send your information.

Good luck!

Author Comment

ID: 9709371
Thanks robing for your answer! It was very easy to understand, although reading about the "man-in-the-middle" attack did make me nervous for a moment. At work, I have no choice but to use company's web proxy which I believe shouldn't present much of a risk. But generally I'd be a little more cautious about public open proxies.

Expert Comment

ID: 9716938
Hi just to let you know it is secure, only SSH1 is subject to man-in-the-middle attack, HTTPS servers these days use SSH2, which thing a little bit of complex maths each client & server obtain a public & private key for encryping & decrypting, these r not sent so any spying eyes dont stand a change unless they want to crach the 128bit encryption which would take until the end of time. so you are safe :O)

if you would like to read a little more into SSH (the excryption used with htmls) you can read it up here


Hope i was some help


Expert Comment

ID: 9746053
yup, https is secure even connected to the proxy, because it's encrypted all data in and out

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question