Saturday, October 25, 2008

Proxies don't work

After so many years, there are still many merchants on the net trying to make money from proxies. Before wasting your time, proxies mostly don't work, even though the impression when you google proxy is opposite.

If you pay for proxy service, you have be very careful, and see if there's any guarantee that the company doesn't sell you out. The sites you visit doesn't know your IP, but the proxy service know everything about you better than your ISP does. Your enemy just need to gain access to the proxy company, via bribing, infiltration, or social engineering. There are saying that most proxy companies are collecting data for profit.

A good example is, which website still exists. It was about the only practical free software that make use of free proxies around the world. It seems OK at first but one day the software stopped working. It appeared that the free software is spyware, sending all your URL data back to base. When the operation went burst, the servers stopped working and hence the software stopped too, failing to communicate with base.

It's the same if you pay for some VPN service. You can have a private, secure connection between your home and company. You can have a private tunnel to bypass your company/school network, hence no censoring. But if you surf via the VPN, they have your ID and your data. For big companies, at least they have screened people and you can sue them if they do anything wrong. But for some companies with only a name, what can you do about it?

Software merchants may want to give you the impression that there are infinite numbers of proxies in the world for you to use. But actually most can be thought of as PC's or small systems whose owners don't know basic protection about their computers. Once they notice something going through, they will close the port. If not, then the computer will be overloaded and unusable most of the time.

There are indeed some proxies for public use, such as CODEEN. But usually they are overloaded, and usually you can only read, not posting anything, nor even login. Otherwise, it's criminal's heaven.

There are some web based CGI proxies that are easy to use. But these guys can be anybody. The reason that more CGI proxies are available because they can place advertisements. Also, some guys just want to attract lots of traffic to his machine so he can deny that he didn't do it himself. To void trouble, most CGI proxies avoid secure connection (https) and disable the ability to post, which otherwise would become heaven for spammers (and many other types).

You can chain proxies together so it's almost impossible for the target site to trace even in real time. However, it's almost impossible for normal people to do this just to protest their privacy. It's already difficult to find a public proxy that works for a while.

And since most free proxies don't support https, it's very easy to mislead users that they are secure. Say if you login to Google mail, it use secure https for login and then switch back to unsecure http. If you are not careful, you will login successfully, but not using any proxy, and you don't even know about it. Your IP may not appear on the email headers, but Google have info about your real IP, which can be obtained by court order (how about bribe, social engineering?).

In conclusion, nothing really works, and trust no one.

No comments: