Proxy Servers

[gboyce at badbelly.com (Gregory Boyce)]

On Fri, 4 Mar 2005 trlists at clayst.com wrote:

> I am familiar with the general idea of proxy servers, which I
> understand to be to provide caching, filtering, and perhaps logging
> and/or authorization checks, for access to the wider 'net from inside a
> corporate or institutional LAN.
>
> However I've never worked with them so I'm curious to get some opinions
> about a situation I ran into.  Specifically, a relative recently
> informed me that in order to get into a local university network to
> access some class materials held at the campus library web site she had
> to configure her browser to use the university's proxy server.
>
> Am I missing something, or is this a completely backward use of a proxy
> server?  It also seems insecure as anyone with access to the proxy
> server can then read all her web traffic.

This seems kind of like a poor man's VPN.  Assuming the proxy server 
requires authentication of some sort (password, client certificates or at 
least IP acling), this would allow them to restrict who can view their 
internal data.  If they just have the proxy available to anyone who knows 
it's there, it is at best security through obscurity.

Of course maybe the webservers are just on unroutable IPs, and they don't 
care WHO accesses the data.  They just need a way to allow it to be 
accessed remotely.

On a security perspective, it would allow the admin of the machine to 
track web usage, including non-related traffic if you never unconfigure 
the proxy.  The traffic can also be monitored by your ISP.  By anyone else 
on the same hub as you.  By the website's ISP.  Or any of other points 
along the route.  If you're not using encryption, its safe to assume that 
SOMEONE can read your data.

The only added security hole here would be that someone could possibly 
view your PAST viewing habits by looking at the logs of the proxy server, 
where they would normally only see your current viewing history.