June 22nd, 2004, 04:40 PM
Proxy Server - Can it steal Passwords?
Today I connect to my web-application using a Proxy server that supported SSL. I connected to my web-app (which is SSL secured HTTPS://mywebapp.cancel.com) and I ented my User ID and Password, and used my WEB APP. Am I endanger of having my password stole because i used to the Proxy server? Does it retain the password, server / public key?
I thought of this and immediatly stopped using it. But now i am very concerned that the proxy server the person who owns it can use my password/user-id to log into my app. Is this true? and Should I be concerned.
June 22nd, 2004, 04:50 PM
Also Note that the Proxy Server i was using was one that I 'googled' and found on a lsit of free proxy servers :-/
June 22nd, 2004, 05:31 PM
Well, the short anser is: No.
In most cases SSL data is used in a forward proxy scenario and is actually tunneled to its destination after the connection has been established by the proxy, this means the proxy is unable to read the data of the encrypted seession. There are other possible scenarios (Secure reverse proxying and others) and much of it depends on how things are configured but as long as you are using HTTPS and the connection is being tunneled to the secure content site and not some intermediary site you are probably fine. This is not to say that eavesdropping on a SSL connection cannot be done, merely that its not particularly easy (involves quite a bit of trickery actually although there are known weaknesses in IE's handling of SSL), and even less likely that anyone was eavesdropping on your connection.
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
June 22nd, 2004, 06:07 PM
Thanks about Maestr0, I can definatly sleep easier.