Can an anonymous proxy service capture my email password?

Home » Internet » Privacy

Summary: Anonymous access or proxy services provide a level of anonymity by hiding your IP address from sites you visit. A malicious proxy can do a lot more.

I some times use anonymous proxy server for browsing the web. Suppose I use this to check my email can that proxy server capture my password?

Short answer: quite possibly.

Longer answer: quite possibly your password and much, much more.

It depends on the proxy server, how it works, and how you're connecting to the sites you're attempting to access anonymously.

•

First, a quick refresher on how you connect to a web site and why an anonymizing service is interesting.

Recall that when you connect to a web site your internet IP address is provided to the server hosting the web site:

IP transmission to a web site being visited

And yes, that's Ask Leo! in the example image because as you're visiting this site, your IP address is transmitted to the site. In fact, I think your IP address is:

38.103.63.62

"... it really does all boil down to trust."

As we'll see in a moment, several things can affect that, but for most of you that's the internet IP address of your computer or your router if your computer is behind one.

You can't prevent an IP from being exposed to the computers and servers you visit. It's the fundamental nature of the internet. Communication of IP addresses is required to make it all work.

But you can - sort of - control which IP gets communicated and how far.

Enter the anonymization service:

IP transmission to a web site being visited through a proxy service

Here you can see that you're using an intermediary. Your IP address only goes as far as the proxy service. They then turn around and make the web site request on your behalf (hence "proxy"), exposing only their IP address to the web site you're visiting, not your IP address.

There are several such services, but they all share one thing in common:

You have to trust them.

•

Here's the problem: every request you make, and every response you get is routed through the proxy service's servers.

Everything.

That has two exceptionally important ramifications:

The proxy knows your IP. If they maintain and retain access logs, it's conceivable that those logs could be demanded by legal authorities to track activity. They'd know the IP address you were coming in from and the web sites that you were visiting through the proxy.

I'd expect a "good" proxy not to keep those logs at all, but you never know. It's a matter of trust.
The proxy sees your data. Every request you make goes to the proxy where it's interpreted so that the proxy knows what to do with it next. While it's looking at it, your data could be there for the proxy to examine and do whatever else with. So yes, if that data contains your email account name and password in unencrypted text, you bet a malicious proxy could be collecting that information.

Fundamentally you're implicitly trusting the proxy to be a good player - both preserving your anonymity, and not peeking at your data.

•

But what about secure connections using https?

In general, a proxied connection over https is safe from data snooping. The proxy still knows your IP, of course, so that responses can be sent back to you, but the data is obscured by encryption.

There are issues to be aware of and be careful with:

Know what's being encrypted. Quite often only the connection to the proxy server itself is encrypted. For example, if you're connecting to https://secure.proxyserver.com?moredata then you're establishing a secure connection only to the proxy server. This is common for services that provide secure internet access for open wifi hotspot users, for example, as it prevents all your data from being sniffed.

It's also not uncommon to configure a proxy service in your Internet Options in this same way. When this is done then the connection to the proxy server is secure even if you're not specifying https on every website access.

But the bottom line is that if the connection to the proxy server is secure, that still does not prevent the proxy from examining your data.
Make sure it's proxying end-to-end https connections. So the solution keep your data secure even from the proxy itself is to use secure connections end to end. For example accessing https://mail.google.com establishes a secure encrypted connection between your computer and the service. Proxies or other types of data interception will not be able to decipher the contents of your communication.

The catch? Not all proxy services handle https. So if you make an https connection to your favorite site then you might be connecting directly, and thus exposing your IP address to the site, defeating any attempts to gain anonymous access.
There's an obscure hack that could render https insecure through proxies. Particularly in a corporate or other institutional environment where you don't actually control your own machine, replacement security certificates could be installed on your machine that could allow the proxy server to intercept secure communications to specific https sites. Your browser would connect securely, but would be tricked into connecting to the proxy thinking it was connecting to the remote site. The proxy could then decrypt and examine your data before re-encrypting it and sending it on to the site you're accessing.

The only way I know of to detect this is to examine the security certificates of the https connection at the time you make it, and make sure that the entire chain of certificate trust is as it should be. Yep, this can be obscure and/or difficult, particularly since we don't always know what it "should be". Comparing the certificates you see at work against what you see at home for the same connection might be a good indicator. The good news, if you want to call it that, is that this is also difficult to set up correctly in the first place, so I believe it's quite rare.

As you can see, it really does all boil down to trust. Just like your ISP for normal connections, you're giving a proxy service a tremendous amount of access just by using them. Your IP address might not be presented to the remote site you're connecting to, but just by the nature of the internet it must be presented to the proxy. And in the worst case not only can a proxy log your accesses, a malicious proxy could typically quite easily examine your data, passwords and all.

Related:

Ask Leo! - What's a Proxy Server?
Ask Leo! - Getting all worked up over IP tracing
Ask Leo! - When I visit a web site, can the server identify me?
Ask Leo! - Can my ISP monitor my internet usage?

Article 11977 | Posted November 8, 2007

•

Recent Comments

6 Comments

1) Can my data be tracked/recorded if I use TOR network / TOR proxies?
2) What if one uses a series of proxies?
Ex: user -> Proxy1 -> Proxy2 -> https://mail.google.com

Posted by: VB at November 12, 2007 2:02 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It depends on the proxy. Do you trust them?

*Technically* proxies only make it much more difficult to track you, but not
impossible. If the proxies are all keeping a log, then those logs could be
examined together to trace down who's doing what. Difficult and unlikely, but
possible.

Leo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHONpTCMEe9B/8oqERAtUxAJ0ZUlffxd+2woSAoY0Qfq0bkU7vdwCfUd0q
JT3UB36x083M6cjcioT4Hzo=
=qtJr
-----END PGP SIGNATURE-----

Posted by: Leo A. Notenboom at November 12, 2007 2:56 PM

The yahoo has unsaved security. When I visited another websites then I went back the to my email yahoo's site was still there. Can someone know what I,m doing when he or she has my IP address and can they look in my yahoo email address and know all my privates and activities? Can they know my passwords when I lock in my email and ebay if they have my IP and know all the websites I just visited . ?

Posted by: vinh at November 24, 2007 12:23 PM

Are you realy going to read this or do you have an emploee do work for you ?
Have happy new year
thank you
joe

Posted by: joe at December 21, 2007 9:38 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I read every reasonable and on-topic comment. Your's almost didn't make the
cut. :-).

Leo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHbYqACMEe9B/8oqERAhYUAJ9qxizpJGiWrnmYjIZT6JNK6rUt4ACeO3D0
TNeduEwJ4rtab944e6fEm9M=
=i2Xz
-----END PGP SIGNATURE-----

Posted by: Leo A. Notenboom at December 22, 2007 2:06 PM

If someone accessed my yahoo email account and deleted everything, is it possible to find the IP that accessed my email, and track that person down?

Only if you can get the police to take an interest.

-Leo

Posted by: markus at July 27, 2008 9:02 AM

Post a comment on "Can an anonymous proxy service capture my email password?":

Name: (Required)

Email Address: (Required)

(Email Address will not be published.)

Remember Me? YesNo

By popular demand...
my tip jar

Buy Leo a Latte!

Comments: (you may use HTML tags for style)

New!

Subscribe to the RSS Feed specifically for comments on this article.

Before commenting, please...

Read the article at the top of this page. If your comment shows you didn't, it'll be deleted and ignored.
Comment only on this article. Use the Google search box at the top of the page if you have a question about something else.
Don't include personal information in the comment. No email addresses. No phone numbers. No physical addresses.
Don't ask me to recover lost passwords or hacked accounts. I can't, and those comments will be deleted.

I can't respond to every comment. And I can't vouch for the accuracy of others who do.
Read Why didn't you answer my question? for hints on getting an answer.
By posting a comment you agree to the Terms of Service. Don't agree? Don't post.
Read the article at the top of this page. If your comment shows you didn't, it'll be deleted and ignored. Yes, I'm saying this twice; you'd be amazed.

Please wait. Your comment is being processed ...