Is it safe to buy online through a proxy?

turgon

I hope this is the right place for this?

Recently I discovered that a website I buy off of bases its prices on the location of the computer. They offer free delivery you see, so the price is adjusted so they can afford the delivery.

However I found out that if the site is accessed through a proxy the cheaper UK prices turn up (up to 25% cheaper) and I can buy at these prices.

Question: is it safe to buy through a proxy? I would have to enter my cvv number and my email address only, as the Visa details are saved on the shops server?

jor el

You'll be giving all your details to those who operate the proxy. They could also be caching the pages, and you might loose the SSL connection.

Bottom line, not safe at all.

paddyb125

No this really isn't safe at all, are you getting the item delivered to Ireland?

turgon

Yeah being delivered to Ireland, although surprisingly this isnt an issue at all, at the last stage of shopping before ordering the cheaper price is still there.

I was thinking of setting up my own proxy on some free UK hosting maybe??

EDIT: I wouldnt actually have to enter my Visa Card number, ONLY the CVV number at the back.

Ludo

It may become an issue when they process your submitted order and they realise you are getting something delivered to Ireland at UK delivery costs. If it was me I would contact you and ask you to pay more or cancel the order.

turgon

Well obviously a risk that they would cop, which is why I would only buy a small item first to see if it worked.

sdanseo

Not something I'd do. The proxy provider will have your details and the shop could easily *shock horror* look at your address manually and decide to charge you more anyway. Just take the hit this time, or check on adverts/ebay etc.

What is it you want to buy?

lukasbasic

it is safe. proxies are not able to cache ssl packets. even if they cache the data it can't be re-used

turgon

Another suggestion: I could use one of those temporary 3V credit cards. Whether the fees would negate the saving remains a question.

sdonn_1 wrote: »

What is it you want to buy?

A few books, this website is the cheapest on the net even when buying from Ireland, even cheaper when from UK.

seamus

It's safe.

The SSL encryption takes place at either end of the connection meaning that all data sent between your browser and the site is encrypted and cannot be spied on by the proxy server.
The proxy server simply acts as a go-between, and cannot see the data in each individual packet because of the encryption.

turgon

Cheers seamus, but would the fact the proxy is not in https:// be a problem? This means theres no lock in the bottom corner.

seamus

Not entirely sure what you mean. If you're making an order through any site and the connection isn't secure, then by Jeebus GTFO of there.

Edit:

I should clarify that many shops do much of the order process - shipping, etc - over an unsecured connection and then switch to an encrypted connection when it comes to processing credit card data. This is generally fine, but if you're accessing the site through a proxy which you don't control, then the owner of the proxy can theoretically mine any personal data that you hand over to the site with the exception of the credit card data.

turgon

Well I have an account set up with the site and I have my Visa details (visa number, expiry date, name etc) saved with them. All https of course.

When I go onto the proxy I go to the site and log on using my email and password. Now the address up the firefox bar is http://a-sample-proxy.com but the address its proxying is https://book-shop.com.

After logging on I then place books in the cart and enter my 3-digit CVV number on my visa and order. Thats it.

So I dont know if its really a secure connection. One thing that comes to mind is simply to change my password after ordering? That way if someone stole my details they would only have my email address and CVV number. However if they did cache the page then they could also get the last four digits of my visa card number (on the checkout page it goes "you are using card **** **** **** 1234").

What do you think??

paddyb125

Personally I think it's a bad idea, up to you though..

Sam Vimes

turgon wrote: »

Well I have an account set up with the site and I have my Visa details (visa number, expiry date, name etc) saved with them. All https of course.

When I go onto the proxy I go to the site and log on using my email and password. Now the address up the firefox bar is http://a-sample-proxy.com but the address its proxying is https://book-shop.com.

After logging on I then place books in the cart and enter my 3-digit CVV number on my visa and order. Thats it.

So I dont know if its really a secure connection. One thing that comes to mind is simply to change my password after ordering? That way if someone stole my details they would only have my email address and CVV number. However if they did cache the page then they could also get the last four digits of my visa card number (on the checkout page it goes "you are using card **** **** **** 1234").

What do you think??

if it's http between you and the proxy it doesn't matter if it's https from them to the website, you're still sending your information in plain text to the proxy.

seamus

That doesn't sound safe at all turgon, definitely not worth the risk. I imagine their intention is specifically to steal you private data.

turgon

seamus wrote: »

That doesn't sound safe at all turgon, definitely not worth the risk. I imagine their intention is specifically to steal you private data.

Whos intention?

The book shop is totally legit, I have bought off of them recently and they are highly recommended online. Theres no problem there.

The only issue is with the proxy. One solution was to set up my own, but I havent found free UK hosting that will allow it.

Also, if I had my own proxy, would there be issues with someone listening between proxy and the shop??

Thanks for all your replies btw.

seamus

The proxy's intention. I assumed you'd found one.

Yes, it is theoretically possible for someone to spy on your information travelling between your machine and the proxy. Don't forget that intermediate networks, ISPs in particular, may be bound by law to retain all information which passes through their network, including your unecrypted personal details.

turgon

seamus wrote: »

The proxy's intention. I assumed you'd found one.

You see it wouldnt be worth paying for a proxy, I found a free UK one - http://proxywizz.com/ Not ssl though. Do you think its dodgy as fùck???!!!

Im kind of curious at this stage to see if it would work, though obviously Im not rushing into anything. As I said previously a 3v temporary credit card could be the solution.

97i9y3941

woundnt you also be forced to still pay euro prices,i mean if you where paying by credit card,the bank would still charge you in euro because of change over rate?

loyatemu

even if your credit card details are stored securely on the vendor's site, the proxy owner only has to get your login details for that site to be able to abuse your account. Bad idea IMO.

Alternative would be to use a disposable or limited credit card like 3v or Entropay - depends on whether you think this is worth the hassle and the extra fee for using these.

turgon

loyatemu wrote: »

even if your credit card details are stored securely on the vendor's site, the proxy owner only has to get your login details for that site to be able to abuse your account. Bad idea IMO.

Well I would change my password afterwards.

loyatemu wrote: »

Alternative would be to use a disposable or limited credit card like 3v or Entropay - depends on whether you think this is worth the hassle and the extra fee for using these.

€20 3v vouchers have no fee so that would be the way to go.

yiguro

Yes it's safe, BUT...

I'm not a security expert, but I'll try to shed some light:

The "Yes it's safe" part:

HTTPS and SSL enable an encrypted connection. Indeed, it was made in such a way that you could transmit data securely, even if the medium was not realiable. As turgon said:

Turgon said:
The proxy server simply acts as a go-between, and cannot see the data in each individual packet because of the encryption.

This is true. Note, however, that the proxy needs httpS support, which is something not many free ones provide:

Well I have an account set up with the site and I have my Visa details (visa number, expiry date, name etc) saved with them. All https of course.

When I go onto the proxy I go to the site and log on using my email and password. Now the address up the firefox bar is http://a-sample-proxy.com but the address its proxying is https://book-shop.com.

After logging on I then place books in the cart and enter my 3-digit CVV number on my visa and order. Thats it.

So I dont know if its really a secure connection. One thing that comes to mind is simply to change my password after ordering? That way if someone stole my details they would only have my email address and CVV number. However if they did cache the page then they could also get the last four digits of my visa card number (on the checkout page it goes "you are using card **** **** **** 1234").

What do you think??

That's simply because the proxy you are using (a free one, I suspect?) doesn't support httpS. For example, I've just tried this free one: http://bind2.com/. I type gmail.com in the field next to "Go" and I press that "Go" button. A warning message appears basically saying that the proxy doesn't support httpS, and I end up on an unsecured version of gmail http://bind2.com/browse.php?u=czovL...:

This is clearly NOT safe. By the way, that uses a web based interface. DON'T USE A WEB INTERFACE, unless you trust the people who run the proxy (i.e, paid ones). Instead, for free httpS proxys, search google, and write down the IP and secure SSL port, next, go to your browser's/operating system configuration and fill that in, like this:

Then you should see https://mail.google.com in your browser's address bar (and not something like https://your-proxy-name/mail.google.com). When using IP/Port configuration instead of web based, other than speed, there must be absolutely NO DIFFERENCIES from NOT using a proxy. Again, I wouldn't trust free web based "secure" proxys, because it could be that they establish a non-legitimate secure connection with you and another legitimate secure connection with the place you're buying things from, and in this scenario they could sniff all the information, and your browser wouldn't show any warnings. However, if NOT using a web based proxy, your browser WILL WARN YOU. For more information, see "the BUT..." part.

Seamus said:
I should clarify that many shops do much of the order process - shipping, etc - over an unsecured connection and then switch to an encrypted connection when it comes to processing credit card data. This is generally fine, but if you're accessing the site through a proxy which you don't control, then the owner of the proxy can theoretically mine any personal data that you hand over to the site with the exception of the credit card data.

Mmmmmm. Maybe, but what I really think it happens in the situation depicted by Seamus, is that some shop pages are unsecured (http), but post to a secure (httpS) page, which is something that, although being safe, confuses and makes everyone suspicious. Look at this page image and the information below, extracted from https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf

First, note that the page is http, not httpS. Now, the PDF quote:

This button (SIGN IN) posts to an HTTPS link, but there's no way to know that. It's a button, so if you mouse-over it, the link isn't displayed in the browser bar at the bottom. The best you could do would be to view the page source, but that's problematic in browsers like Firefox that issue a second request to the server for the source.

SIDE NOTE: that is an bankofamerica's old page. Now, they do the right thing, i.e, it is a secure page from the beginning, when you type your user and password you already know your're in an encrypted page:

hotmail.com still works that http-but-post-to-httpS way. However, when shopping, I've seen this happen only once, when I bought some books online three years ago. The filling form with all the information (name, address, credit card...) was in an unsecured http, but once you pressed the submit button, it would turn to httpS. IMO, this is just bad web programming. However, I've never encountered a case like this again. Anyway, this would happen whether you're using a proxy or not, so just check they're the same unsecured http:// in both situations to be safe. If it's https:// without proxy and http:// through proxy, they're trying to steal your passwords for sure. How do they do that? Continue reading on "the BUT... " part below:


The "BUT..." part:

Back in the day, in 2002, there was a program called "sslsniff" that enabled a middleman (which could be an evil ISP, or a proxy in your case) to retrieve all the information you sent. It worked by enabling a secure connection between you and the middleman, and another one between the middleman and the legitimate server you are buying things from. So even though everything looked perfectly secure (httpS, padlock, etc), your information was being sniffed. However, this security problem was fixed on all browsers since 2002-2003, and now they show a "negative feedback of death":

However, this WILL NOT show up when using a web based proxy, even if it's an httpS web based proxy, so don't use web based proxys unless you trust the people who runs it.

Recently, in 2009, another program called "sslstrip" attacks the "bridge" between http and httpS. Let me explain: when you type "gmail.com" in your browser's address bar, it internally substitutes it with http://gmail.com, and then the gmail server redirects this page to [url]httpS://mail.google.com[/url]. "sslstrip" works by exploiting this redirection. When you access the hijacked page, it looks the same, except it is not a secure page, it's http instead of httpS. It even shows a fake padlock in the favicon. Note that no "negative feedback of death" of warning message it's showed by your browser, so you have to ckeck for yourself.

_________________________________________

SO WHAT?

SO, summing up: It is safe to buy through a proxy as long as:

• Your don't use a web-based proxy (i.e, you fill IP and SSL port on your browser/operating system configuration) unless you trust the people who manage it.
• Your proxy has httpS support.
• You use a modern, updated browser.
• You check the page where you are filling the credit card details has httpS:// header (99% of legitimate pages today), or alternatively:
  that, being an unsecured http, it posts your credit card details to an httpS page. In this situation:

  • Check if the page is unsecure http:// when both using and not using a proxy. As I said before, If it's https:// without proxy and http:// through proxy, they're trying to steal your passwords for sure.
  • Hover (mouse-over) "submit/send" if it is a link, or check the page source code if it's a button, to see if it really posts to an httpS page.

I hope this sheds some light.

Cheers.

dudara

Moved to OnlinevBuying & Auctions

dudara