tags:

views:

44

answers:

2
Q: 

SSL with proxy (https)

Hey,

I was wondering if When using PROXY, does SSL (through HTTPS) secure the connection from the admins of the proxy, so they will not be able to see the content?

A: 

You have to trust the proxy. See: http://en.wikipedia.org/wiki/Man-in-the-middle_attack

lecodesportif  2010-08-29 15:38:12
But how can the proxy decode content sent over SSL? The encryption is done on the user computer.. once sent over, the proxy will only be able to see the encoded message, but will not be able to decrypt it. Am I missing something?
Joel  2010-08-29 15:41:16
That's so with HTTP proxy, which nobody in his mind would do. One should use HTTPS proxy (HTTP CONNECT) to securely connect via proxy.
Eugene Mayevski 'EldoS Corp  2010-08-29 18:24:35
You don't really need to trust the proxy, only that it will do the right CONNECT, which merely tunnels all the TLS traffic once the connection is established. If the proxy tries an man-in-the-middle attach to redirect you to another server, the browser won't verify the certificate (since even with CONNECT, it's the target host's certificate that's used, as the entire SSL/TLS connection is tunnelled, including the handshake of course). (HTTPS proxy servers add almost nothing when connecting to HTTPS sites for that reason. They're helpful for HTTP sites if the link to the proxy isn't trusted.)
Bruno  2010-09-02 21:32:00
+2  A: 

Basically, when doing SSL connections with a proxy, you connect to the proxy and use something like the CONNECT HTTP verb, which just asks the proxy to connect to the remote host on the specified port. At that point, you're not secure; you can assume that the proxy is listening to the conversation. You then start an encrypted session with the remote host, using that host's public key, or rather the remote host uses its private key which you can check against its public key without needing to trust the proxy. The handshake algorithm is such that the proxy can't see what's inside the encrypted channel (since they don't know the session keys that each side picked as part of the SSL protocol). All the proxy can do is inject random detectable noise or cause the connection to get dropped; they can do denial-of-service attacks but can't affect the integrity or secrecy of any information actually transferred.

That's the beauty of using a proper crypto protocol like SSL.

Donal Fellows  2010-08-29 16:07:50
Great, thats what I thought :) They can basically break the connection, but they won't be able to see the real content of the msgs between me and the server.
Joel  2010-08-29 16:33:29

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Is there a way to make Firefox ignore invalid ssl-certificates?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL