Websense.com / Security Labs / Blogs / Who do you trust with your web traffic?

Blog

Who do you trust with your web traffic?

02.26.2008 - 9:16 AM
More and more businesses, schools, and government agencies are managing Internet usage. In many cases, organizations are setting up policies to prevent users from accessing sites like MySpace, FaceBook, gambling, and shopping.

However, a growing number of technical resources are allowing users to bypass Internet filtering. These types of services, such as Anonymous Proxies (known also as Web Proxies), are becoming very popular for bypassing Internet blocking.

But are these services themselves always safe? The answer is no.

Just about anyone can set up an anonymous proxy and advertise it openly for others to use. Web Proxy lists are easy to find, with a simple lookup on any search engine. These proxy services have the possibility of being hostile, intentionally set up to eavesdrop data flow and able to steal passwords to any site your users might access, including online banking, PayPal, and social networking sites like MySpace.

Here’s an example of how easily this can be done. We installed a free, popular Web Proxy and monitored the traffic. As you can see, the traffic was logged, and data collected, revealing Web sites accessed, along with user names and passwords.

User browses through Web proxy site for www.myspace.com:

User fills in login information to access a personal account:

Proxy Server log shows user request logging into Web site:
[15/Feb/2008:08:17:26 -0800] "POST /nph-proxy.cgi/010110A/http/secure.myspace.com/index.cfm=3ffuseaction=3dlogin.process HTTP/1.1" 200 - "http://10.211.209.53/nph-proxy.cgi/010110A/http/www.myspace.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12" "-"

Monitored data reveals user name and password in clear text:

        0x0130:  416b 5447 396e 6157 3566 5357 3168 5a32  AkTG9naW5fSW1hZ2
        0x0140:  5643 6458 5230 6232 3425 3344 264e 6578  VCdXR0b24%3D&Nex
        0x0150:  7450 6167 653d 2663 746c 3030 2532 344d  tPage=&ctl00%24M
        0x0160:  6169 6e25 3234 5370 6c61 7368 4469 7370  ain%24SplashDisp
        0x0170:  6c61 7925 3234 6374 6c30 3025 3234 456d  lay%24ctl00%24Em
        0x0180:  6169 6c5f 5465 7874 626f 783d 6a61 636b  ail_Textbox=jack
        0x0190:  6861 636b 6564 2534 306c 6976 652e 636f  hacked%40live.co
        0x01a0:  6d26 6374 6c30 3025 3234 4d61 696e 2532  m&ctl00%24Main%2
        0x01b0:  3453 706c 6173 6844 6973 706c 6179 2532  4SplashDisplay%2
        0x01c0:  3463 746c 3030 2532 3450 6173 7377 6f72  4ctl00%24Passwor
        0x01d0:  645f 5465 7874 626f 783d 6170 706c 6531  d_Textbox=apple1
        0x01e0:  2663 746c 3030 2532 344d 6169 6e25 3234  &ctl00%24Main%24
        0x01f0:  5370 6c61 7368 4469 7370 6c61 7925 3234  SplashDisplay%24
        0x0200:  6374 6c30 3025 3234 4c6f 6769 6e5f 496d  ctl00%24Login_Im
        0x0210:  6167 6542 7574 746f 6e2e 783d 3231 2663  ageButton.x=21&c
        0x0220:  746c 3030 2532 344d 6169 6e25 3234 5370  tl00%24Main%24Sp
        0x0230:  6c61 7368 4469 7370 6c61 7925 3234 6374  lashDisplay%24ct
        0x0240:  6c30 3025 3234 4c6f 6769 6e5f 496d 6167  l00%24Login_Imag
        0x0250:  6542 7574 746f 6e2e 793d 3132 2663 746c  eButton.y=12&ctl
Example on WireShark:

Closer look:

Even though sites you log in to are secure and encrypted, that doesn’t mean that an Anonymous Proxy Server you’re using is also set up to be secure.

Your traffic could be in clear text going from the browser to the Proxy Server. This means your privacy can be invaded. Email and Instant Messages through MSN, AIM, and Google Talk--or any other data going through--could be read.

Be aware that someone could be watching your users’ every move and could be gathering your information to log in into your accounts, perhaps for financial gain. Thus, bypassing filtering through proxy sites can open your organization to a variety of harmful behaviors.

Security Researcher: Jack Rasgaitis

Bookmark This Post:

Post a Comment: