Proxy Server - Can it steal Passwords?
Results 1 to 4 of 4

Thread: Proxy Server - Can it steal Passwords?

  1. #1
    Member
    Join Date
    Jan 2003
    Posts
    30

    Proxy Server - Can it steal Passwords?

    Today I connect to my web-application using a Proxy server that supported SSL. I connected to my web-app (which is SSL secured HTTPS://mywebapp.cancel.com) and I ented my User ID and Password, and used my WEB APP. Am I endanger of having my password stole because i used to the Proxy server? Does it retain the password, server / public key?


    I thought of this and immediatly stopped using it. But now i am very concerned that the proxy server the person who owns it can use my password/user-id to log into my app. Is this true? and Should I be concerned.



    Thanks :-/
    Andrew

  2. #2
    Member
    Join Date
    Jan 2003
    Posts
    30
    Also Note that the Proxy Server i was using was one that I 'googled' and found on a lsit of free proxy servers :-/

  3. #3
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Well, the short anser is: No.
    In most cases SSL data is used in a forward proxy scenario and is actually tunneled to its destination after the connection has been established by the proxy, this means the proxy is unable to read the data of the encrypted seession. There are other possible scenarios (Secure reverse proxying and others) and much of it depends on how things are configured but as long as you are using HTTPS and the connection is being tunneled to the secure content site and not some intermediary site you are probably fine. This is not to say that eavesdropping on a SSL connection cannot be done, merely that its not particularly easy (involves quite a bit of trickery actually although there are known weaknesses in IE's handling of SSL), and even less likely that anyone was eavesdropping on your connection.

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  4. #4
    Member
    Join Date
    Jan 2003
    Posts
    30
    Thank God.

    Thanks about Maestr0, I can definatly sleep easier.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •