Risks Of Transparent Proxies

[Crushdepth]

This is a cautionary note on using dodgy transparent proxies.

A while back I noticed a sudden surge in visits to our website. After asking lots of questions (I am not really a computer guy) I discovered that the server running our work site, which is hosted in our office, was acting as a transparent proxy. Why, I cannot imagine. After much complaining, I managed to get it closed, but not before our server had been listed on many web dodgy websites as a 'free for all'.

Today (months later) while looking through a raw log file I noticed that we are *still* getting loads of people trying to use our server, though not as many as before, presumably because we are still listed as open. The scary thing is when I look in the log file, its stuffed full of people's logins, passwords, and the URL of the site they were trying to access.

So...careful where you send those passwords!

[bluebear]

whats a transparent proxy?

[marquess]

One is which you location is shown on the ISP. Quite useful, as on the whole they tend to be faster than an anonymous proxy, yet still allow you to circumvent local censorship.

[bluebear]

ok, thanks.

i know how to get an anonymous proxy but how do you get a transparent one?

[Abandon]

TRUE uses a transparent proxy, which I understand is its filter for the sites it black lists. I found that on my web-based email site I regularly would check in and get someone elses email account to peruse. Always they were from thailand. the email co. never bothered answering my countless complaints, but I also used to mail the people whose accounts I would access, and we found we were all using TRUE.

The reason was the transparent proxy which gave all the users the same IP, and so if you did not log out of your account, the next TRUE user would go to your account automatically. The same also happened with a couple of Bit Torrent sites that monitored your UL/DL ratio.

I know it is off topic a little, but just thought I would bring it up as we got onto transparent proxies.

[Butterfly]

Sounds like a transparent cache proxy issue

I am using my own private cache proxy but this still doesn't resolve the transparent proxy issue. All ISP in Thailand use a transparent proxy so technically ALL our private information (login, password for emails, banking etc...) are NOT PRIVATE

Edited September 25, 2005 by Butterfly

[autonomous_unit]

Isn't a transparent proxy just one that intercepts and rewrites traffic that passes through a network, e.g. without the client addressing the proxy intentionally?

If so, beware of transparent proxy is just another way of saying: beware of sending private information over non-SSL connections! There is nothing special about transparent proxies versus all the other tools that can intercept/monitor/log unencrypted traffic, given appropriate access to the networking equipment... modern networks are not secure nor private in and of themselves, but only when operated in secure ways by trusted operators.

Or, did you mean beware of implementing a logging proxy by accident? I suppose you could be legally or administratively liable for recording private information of other people by accident?

[Crushdepth]

Pretty much.

In this case, yes we ended up acting as a proxy / logging all this info by accident, as it was the default behaviour of the Linux distro our engineer used.

My point was that it would be a simple matter to intentionally set up something like this, get it listed as a proxy on a few websites then suck up all the access credentials. Virtually no effort at all.

As for liability, I don't think so. We didn't invite people to use our equipment, other people found it, advertised it and used it. If you point at a proxy and transmit unencrypted requests containing information you regard as private. I don't think you have grounds to complain when that information appears in the webserver logfiles.

[the scouser]

Forgive my ignorance, but does this mean that whenever I access, for example, my internet banking site through AOL (my ISP), my passwords etc are stored on their server and could be misused by a criminally minded employee?

Scouse.

[Abandon]

forgiven

[autonomous_unit]

Forgive my ignorance, but does this mean that whenever I access, for example, my internet banking site through AOL (my ISP), my passwords etc are stored on their server and could be misused by a criminally minded employee?

Scouse.

<{POST_SNAPBACK}>

Probably not, if it is a reputable bank. Does the URL you start with begin "https"? I always make sure the sign-in page is https before I type any username or password for important sites. Your browser also probably has some sort of "lock" icon that will show when the site is properly encrypted. When this is working correctly, your browser is forming a secure connection with the bank that cannot be read by any intervening proxy, router, or ISP technician. At most, they can discover that you are making secure connections to a particular bank (which might be useful at the start of some other attempt at fraud, such as directed "phishing".)

To be really confident, you want to click on this to view the security info for the page. It should indicate that it is encrypted and that the site is using a certificate with the name of the bank, issued by a reputable CA (certificate authority) that is known by your browser. Usually, your browser will check this for you and make sure the certificate matches the URL you tried to access. Most fraud here, e.g. "phishing" email, would be around trying to send you to a different URL while concealing it to make it appear as the real bank URL. Browsers are being patched all the time to help prevent this sort of trickery.

If you don't check that the site certificate is correct and make sense, there is a technical possibility of a "man in the middle" attack where someone is pretending to be the bank, intercepting your login information, and then passing it on to the bank while pretending that they themselves are you. Some people consider this to be an unlikely scenario, but in a proxy situation like this thread is discussing, it would actually be quite simple to automate!

Unfortunately, some low-budget sites will create their own certificates that are not signed by a real commercial CA, and you have no real way to trust the certificate. It's kind of like placing a secure phone call, but not knowing for sure who is on the other end of the line. I've never seen a real financial institution do this, however...

[the scouser]

Thanks for the explanation in layman's terms. Yes, my bank is one of the major UK banks, so one would presume they are security conscious. My mind has been put to rest.

Thanks,

Scouse.

[Crushdepth]

Just one thing to emphasise - when you see that lock appear for a 'secure' site, all it means is that you have a secure connection. The lock doesn't tell you who you are securely connected *to*. The lock itself is absolutely meaningless, you could be securely connected to a fake site.

As the above poster said, you have to click on the lock and take a look at the certificate. The certificate should be registered to the organization you are trying to do business with. If it isn't, then don't use it.

If you connect to a legitimate secure site (and you check that the certificate is valid) you are probably reasonably safe. However, if you connect to a non-secure site then basically anything you send can potentially be read with very little effort.