Saturday, January 06, 2007

Beware of open and "free" proxies

With Internet access still quite crippled in Malaysia, I've noticed some postings on forums and some blogs about "free" web proxies located in other countries. These proxies are provided by ostensibly "generous" persons who want to "help" you surf the net.

Speaking from personal experience, setting up a secure and properly configured web proxy is not a trivial matter. In fact, I would only do so for users I know and trust. Other than the obvious bandwidth issues, proxy operators also need to worry about liability issues. For example, users may use the proxy to surf kiddy pr0n, spammers could use it to send out their unwanted mail, or hackers could use it to launch attacks.

Just to give you an idea the cost and effort needed to run a web proxy, one company charges US$24.95 a month for dial-up bandwidth (30-60kbps) and US$49.95 a month for broadband (100-900kbps) access to its proxies . With that in mind, you have to wonder why would anyone set up a free, open proxy that can be accessed by thousands, even millions of users?

As the proxy company noted:
If someone is offering a free proxy service, there is a catch somewhere. Considering the cost of bandwidth and machine maintenance, a free proxy service is simply not feasible.

The proxies that are listed likely to be malicious proxies, i.e. proxies set up by hackers to record, or worse, to alter traffic that passes thru them.
By design, a proxy sits between your browser and other websites, and this provides a perfect opportunity for conducting Man-in-the-middle (MITM) attacks. If you have used these unknown proxies, I recommend you immediately change all your passwords and check activity/transaction logs for any accounts you accessed thru them.

In fact, most, if not all proxies on public lists and forums are:

1) Misconfigured proxies - the operater is not aware that the proxy is open to the rest of the world. Users are, in fact, stealing bandwidth.
2) Malicious proxies - these are set up by hackers to record everything sent to the proxy; this includes unencrypted logins and passwords.
3) Compromised proxies - If an operator does not know how to properly configure a proxy, there's a chance he may not know much about security either. Even if the operator has no malicious intent, the proxy may eventually be compromised by hackers and turned into a malicious proxy.

Wikipedia has some general info about proxy servers and also mentions malicious proxies:

A commercial provider of proxies details the risks of using open proxies:
The dangers of open proxy servers
OK, some of it is probably self-serving - this company sells proxy services - but there is still lot of useful information about open proxies that all users need to know.

Back to Wikipedia:
The bottom line is - be wary when using proxy servers, and only use proxy servers of known integrity (e.g., the owner is known and trusted, has a clear privacy policy, etc.), and never use proxy servers of unknown integrity. If there is no choice but to use unknown proxy servers, do not pass any private information (unless it is properly encrypted) through the proxy.

No comments: