Solved

Is HTTPS still secure if using proxy ?

Posted on 2003-11-08
4
597 Views
Last Modified: 2010-04-11
Hi, recently I started doing online shopping & banking at home and at work.

My question - if I'm using a web proxy(for whatever reason) that supports HTTPS, are my transactions still secure from prying eyes? For example, could the proxy obtain my credit card details?

Assuming of course the SSL cert of the site is valid and the lock icon on my browser is visible at all times.
Thanks for any comments.
0
Comment
Question by:amoruso
4 Comments
 
LVL 7

Accepted Solution

by:
Robing66066 earned 200 total points
ID: 9709256
I would say yes, to a point.

The Web Proxy server should be acting only as a go-between, sending your encrypted packets forward to the destination server and accepting same and sending them back to you.  When that lock appears, you should have an encrypted session with the destination server, not the proxy server.  Once that encryption has taken place, the proxy server can't read the contents any more than anyone else on the net can.  When you enter your credit card information, it will travel that encrypted link to the intended server and be safe.

That having been said, if the person who owns the proxy server chooses to, he could set up a "man in the middle" attack.  He could arrange it so that you set up the encrypted session with the proxy server instead of the server you intended.  Then the proxy server would set up the connection between itself and your intended server.  It would pass the pages back to you as required.  When you entered your credit card information, it would first go to the proxy server.  The proxy would read it and pass it off to the intended server.  You would complete your transaction, but the proxy would have seen the whole thing and been able to record it.  The SSL cert should prevent this from happening, provided you understand the warning message it will put up and provided that someone hasn't monkeyed with your computer.  If someone is 'pretending' to be your e-commerce site and tries to throw up a cert for someone else, you should get a warning message about it.  It isn't easy to circumvent something like that without access to your computer.

All things considered, I'd be pretty shocked if you ran across someone who was both able and interested in setting something like that up.  If you trust the encryption and security of the e-commerce site you are dealing with, I would say that the proxy server will present a very low risk when added to the equation.

You can, however, check to see if you are the victim of a man in the middle attack.  When you connect to the credit card info page, right click on the page and select 'properties' (for IE 6).  It will show you exactly what site you are connecting to and what type of encryption you are using.  If it lists anything other than the site you were expecting, do not send your information.

Good luck!
0
 

Author Comment

by:amoruso
ID: 9709371
Thanks robing for your answer! It was very easy to understand, although reading about the "man-in-the-middle" attack did make me nervous for a moment. At work, I have no choice but to use company's web proxy which I believe shouldn't present much of a risk. But generally I'd be a little more cautious about public open proxies.
0
 
LVL 1

Expert Comment

by:Ferg_y2k
ID: 9716938
Hi just to let you know it is secure, only SSH1 is subject to man-in-the-middle attack, HTTPS servers these days use SSH2, which thing a little bit of complex maths each client & server obtain a public & private key for encryping & decrypting, these r not sent so any spying eyes dont stand a change unless they want to crach the 128bit encryption which would take until the end of time. so you are safe :O)

if you would like to read a little more into SSH (the excryption used with htmls) you can read it up here

http://neworder.box.sk/newsread.php?newsid=9594

Hope i was some help

Ferg
0
 

Expert Comment

by:riqw
ID: 9746053
yup, https is secure even connected to the proxy, because it's encrypted all data in and out
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now