Solved

Is HTTPS still secure if using proxy ?

Posted on 2003-11-08
4
602 Views
Last Modified: 2010-04-11
Hi, recently I started doing online shopping & banking at home and at work.

My question - if I'm using a web proxy(for whatever reason) that supports HTTPS, are my transactions still secure from prying eyes? For example, could the proxy obtain my credit card details?

Assuming of course the SSL cert of the site is valid and the lock icon on my browser is visible at all times.
Thanks for any comments.
0
Comment
Question by:amoruso
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 7

Accepted Solution

by:
Robing66066 earned 200 total points
ID: 9709256
I would say yes, to a point.

The Web Proxy server should be acting only as a go-between, sending your encrypted packets forward to the destination server and accepting same and sending them back to you.  When that lock appears, you should have an encrypted session with the destination server, not the proxy server.  Once that encryption has taken place, the proxy server can't read the contents any more than anyone else on the net can.  When you enter your credit card information, it will travel that encrypted link to the intended server and be safe.

That having been said, if the person who owns the proxy server chooses to, he could set up a "man in the middle" attack.  He could arrange it so that you set up the encrypted session with the proxy server instead of the server you intended.  Then the proxy server would set up the connection between itself and your intended server.  It would pass the pages back to you as required.  When you entered your credit card information, it would first go to the proxy server.  The proxy would read it and pass it off to the intended server.  You would complete your transaction, but the proxy would have seen the whole thing and been able to record it.  The SSL cert should prevent this from happening, provided you understand the warning message it will put up and provided that someone hasn't monkeyed with your computer.  If someone is 'pretending' to be your e-commerce site and tries to throw up a cert for someone else, you should get a warning message about it.  It isn't easy to circumvent something like that without access to your computer.

All things considered, I'd be pretty shocked if you ran across someone who was both able and interested in setting something like that up.  If you trust the encryption and security of the e-commerce site you are dealing with, I would say that the proxy server will present a very low risk when added to the equation.

You can, however, check to see if you are the victim of a man in the middle attack.  When you connect to the credit card info page, right click on the page and select 'properties' (for IE 6).  It will show you exactly what site you are connecting to and what type of encryption you are using.  If it lists anything other than the site you were expecting, do not send your information.

Good luck!
0
 

Author Comment

by:amoruso
ID: 9709371
Thanks robing for your answer! It was very easy to understand, although reading about the "man-in-the-middle" attack did make me nervous for a moment. At work, I have no choice but to use company's web proxy which I believe shouldn't present much of a risk. But generally I'd be a little more cautious about public open proxies.
0
 
LVL 1

Expert Comment

by:Ferg_y2k
ID: 9716938
Hi just to let you know it is secure, only SSH1 is subject to man-in-the-middle attack, HTTPS servers these days use SSH2, which thing a little bit of complex maths each client & server obtain a public & private key for encryping & decrypting, these r not sent so any spying eyes dont stand a change unless they want to crach the 128bit encryption which would take until the end of time. so you are safe :O)

if you would like to read a little more into SSH (the excryption used with htmls) you can read it up here

http://neworder.box.sk/newsread.php?newsid=9594

Hope i was some help

Ferg
0
 

Expert Comment

by:riqw
ID: 9746053
yup, https is secure even connected to the proxy, because it's encrypted all data in and out
0

Featured Post

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Smart phones, smart watches, Bluetooth-connected devices—the IoT is all around us. In this article, we take a look at the security implications of our highly connected world.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question