How to identify if you are behind a "Transparent Proxy"
Traveling a lot? You may still be one of the unlucky few who not only connects to hotel networks regulary, but doesn't have easy access to a VPN to bypass all the nastyness they introduce. In addition, even some "normal" ISPs do introduce a feature called "transparent proxy" to manage traffic. Transparent proxies are nice in that they are easy to setup up and invisible ("transparent") to the user. However, the browser isn't aware of them, and as a result the transparent proxy even if configured non-malicious can still cause confusion bout the same origin policy browser depend on to isolate web sites from each other.
A transperent proxy works in conjunction with a firewall. The firewall will route traffic to the proxy, but changing the desitination IP address of the packet to the proxy's IP address. The proxy now relies on the "Host" header to identify the target site. As a result, the relationship between IP address and host name that the client established is lost.
There is a pretty simple test to figure out if you are behind a simple transparent proxy: Telnet to a "random" IP address (e.g. 192.0.2.1) on port 80. Then, copy/past a simple HTTP request, that includes the host header (the part you type is shown in bold font:
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
Importing a compromised CA certificate in your web browser and/or OS (or Java environment etc.) completely breaks PKI (including binary- and e-mail signature verification) on your PC.
For example, Cyberoam devices:
https://blog.torproject.org/blog/security-vulnerability-found-cyberoam-dpi-devices-cve-2012-3372
Fortinet Fortigate devices:
http://www.kb.cert.org/vuls/id/111708
These are examples; other SSL inspection devices are known or suspected to come with default (identical) CA certificates (plus private keys) in firmware which, IMO, means that you should treat them as compromised (the solution is that administrators of such devices replace the CA certificate by a self-signed cert they generated themselves, in a secure manner - which is far from obvious).
Erik van Straten
Dec 6th 2012
1 decade ago
Will
Dec 6th 2012
1 decade ago
they are transparent towards the server side too.
An interesting test is to use tcptraceroute from the client.
You would see the internet webservers always at the same hop
behind the router where the proxy lives.
Jens
Dec 6th 2012
1 decade ago
http://www.lagado.com/proxy-test
http://www.lagado.com/tools/cache-test
Chuck
Dec 7th 2012
1 decade ago
BGC
Dec 7th 2012
1 decade ago
We do have a list of whitelist exclusions which we do not perform this for (banking, HR functions such as healthcare, etc.). Additionally we have to whitelist a handful of places that require client certificates and are business essential.
Additionally, if one does not do this, or does not have a whitelist-only proxy, and if you don't have 802.1x LAN auth and total workstation lockdown (no external media, etc.), there is nothing to stop someone from running an SSL VPN or SSH over port 443 with an http-proxy add-on liie corkscrew, and naturally the proxy will just blindly forward on the 443 traffic.
Jason R
Dec 7th 2012
1 decade ago