MITM Attack and Free Proxy
MITM attack is the effective way to hijack the SSL secured website, there are many methods of SSL stripping via MITM attack - establishing free Proxy server is most effective and gaining popularity. On the Internet people use "free proxy servers" for various purpose, and not aware with the fact that these proxy servers are acting as "Man In The Middle" to collect your personal data, credit card data and account passwords.
Let's have a detailed look into the issue, why and how a proxy server hack our data even if HTTPS is enabled !!
Why we use a proxy server?
A proxy server is a system/ application that acts as an middle man between client's machine and other server for seeking and serving resources. A client machine connects to the proxy server, which in turn connects to real server, get resources and serve back to client machine. Proxies were invented to resolve complex situations like distributed network systems and inter-protocol links.
Proxy servers are mainly used for following purposes:
- Bypassing firewall filters and censorship imposed in offices, schools, universities and banks etc.
- To access the different versions of a website available for different countries and languages.
- To access geo-location based specific services, like govt services provided in any specific country.
- To perform and control geo targeted advertising.
- To hide the personal identity and spoofing a we server.
Logging And Eavesdropping (Man in the middle attack)
99.9% free proxies are open proxies and anyone can use them connecting via internet. Such open proxies are deliberately deployed by hackers to lure people and hack their data like account passwords and credit card data. Most of open and free proxies are installed and setup in order to eavesdrop upon the data-flow between client machines and the web.
All the content sent or received via such proxy servers – including passwords , cookies and transaction data – can be captured and analyzed by the proxy operator. The sensitive data can be filtered easily and made available to sale and purchase on dark-web and deep web.
For example - if someone access PayPal website using an open proxy, their account access credentials can easily be filtered out from proxy log and sold or misused to grab money.
Even on websites using the ssl certificate for data encryption, these proxies equipped with SSL strapping software, can easily overcome the ssl encryption to hack customer data.
Using the proxies which do not reveal data about the original requester (highly anonymous proxies), it is possible to obfuscate activities from the eyes of the user's destination. At the cost of this anonymity you must be at great risk if you are sending or receiving some sensitive information.
There are many free applications for VPN, Tunneling and for Proxify are available on the internet. There is a misconception that using an open proxy with these applications can hide user identity and data security. http://http-tunnel.sourceforge.net/
Proxy server is hacking SSL encryption?
Yes, an open free proxy server hack or it can hack the websites using SSL encryption enables, so we can not rely upon the HTTPS with closed eyes. Though it is a client side blunder but it is possible.
A free proxy server machine deployed with ssl strapping software can easily strip off the HTTPS layer and expose thee data for hackers.
Thus a proxy server with ssl strip nullify the use of ssl certificate, but there is still some tricks to keep your website safe during sslstrip attack:-
- Use "Strict Transport Security" HTTP response header in your server settings.
- Use cipher text algorithm in java script to send critical information such as ID and password. Though payment gateways which accepts credit card directly from customers are using one or another kind of java script encryption. For example Braintree gateway is using their own encryption script braintree.js.
- Sending client URL information by using "locatiion.href" java script including schema (http:// or https://) to the web server so that web server could verify that its URL is valid.
- Using another methods using a platform specific binary module such as ActiveX or other plugin.
SSLStrip is available for windows operating system and Linux. Though we are purposely not providing the link, you can google it for more information.
SSLStrip Installation Requirements
- Python >= 2.5 (apt-get install python)
- Python's "twisted-web" module (apt-get install python-twisted-web) need to be installed
tar zxvf sslstrip-0.9.tar.gz
- and optional
sudo python ./setup.py install
- First set/ flip your machine into forwarding mode.
echo "1" > /proc/sys/net/ipv4/ip_forward
- Setup iptables to redirect HTTP traffic to sslstrip.
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <listenPort>
- Run sslstrip.
sslstrip.py -l <listenPort>
- Run arpspoof to convince a network they should send their traffic to you.
arpspoof -i <interface> -t <targetIP> <gatewayIP>
After running sslstrip on the proxy server, a hacker can easily filter the data of account passwords and credit card etc. On other end it can be also used to harvest email addresses and prepare mailing lists. For example your paypal account could e compromised, your card can be processed by someone else and you may get tons of promotional daily.
Security Measures while using proxy
Any way if we need to use a proxy for any reason as discussed above in this article, we must follow these security precautions. We should avoid sending any personal and vital information over the proxy and as long as it is possible.
Use a paid, private and trusted proxy rather then using a free and open proxy because they are purposely established for hacking.
Never make a monetary transaction over the proxy and must check the ssl certificate status in the browser address bar. Or be tricky and use the one time usable credit cards, these cards can be generated from your internet banking account for one time use only. Cancel the card if not used anyway!!
Immediately change your account credentials/ password once you login via a proxy server and do not forget to use hard to predict passwords, all time set a strong password.
Website owners should use extended validation certificate with "Strict Transport Security" server setting.