How to Check the Security of Proxy Servers

There are very few things in life that are truly free, and when it comes to free proxy services, it’s a good idea to know just what that “free” services actually costs you.

A recent study of 443 free proxy servers by Austrian security researcher Christian Haschek ended with the conclusion that free is not necessarily a good thing, at least when it comes to the majority of proxy servers analyzed in the study. Web proxies come in different flavors but the two groups that you will encounter the most are proxies that you use on web pages and proxies that you add to your browser directly.

If you search for “free proxies” or similar terms you will discover hundreds if not thousands that claim to be free and open.

Haschek discovered that 8.5% of the proxies tested during the course of the study modified JavaScript, 16.6% HTML, and that 79% did not accept HTTPS.

Modifications are clearly problematic and were used almost exclusively to inject ads but the blocking of HTTPS is not something that should be taken lightly considering that all activities of users connected to the proxy can be recorded on the server.

The blocking of https traffic should generally be seen as a bad sign according to the researcher. While I would not go as far, it is fair to use it as an indicator that something might not be right.

The researcher has published the proxy checking script online which you can use to test the security of proxy servers that you plan to use.

proxy checker

To use it, add a proxy IP and port to the script and hit enter. The page displays an annoying captcha that seems to reset ever so often.

The only other option provided on the page is to switch the proxy type from Socks to HTTP.

The script checks the following currently:

  1. Is the proxy up?
  2. Are HTTPS connections allowed?
  3. Is your IP address anonymized?
  4. Is the proxy modifying JavaScript?
  5. Is the proxy modifying HTML contents?

Results are color coded for ease of use.

The checker accepts IP addresses and ports only which means that you may need to look up IP addresses of hostnames before you can run the script on them.

The script can be used to test one proxy at a time which means that it is not suitable for testing dozens or even hundreds of proxy servers as it would take a long time to test them all.

Still, if you work regularly with a specific proxy server you may want to test it to find out more about it. You may also want to do the same for new proxy servers that you consider using. (via Krebs on Security and Charles)

Link to Original Content

Tags: , , , ,

Comments are closed.