Is connecting to a proxy server with HTTP for a HTTPS Request secure?
Asked Answered
A

1

6

I have a use case where I would like to connect to a proxy server with HTTP, but the underlying request is actually a GET with HTTPS. I have been reading When should one use CONNECT and GET HTTP methods at HTTP Proxy Server?, but I think i need some clarification. Since the underlying request is HTTPS does this mean when I "connect" to my proxy server it will automatically open a CONNECT and just pass through my HTTPS request? My main concern is if I use HTTP to connect to my proxy server, then the underlying HTTPS request is somehow exposed until it hits the proxy server. Thanks in advance.

Abbotsun answered 27/11, 2017 at 0:1 Comment(0)
C
11

Yes, whatever your browser says inside a https session is encrypted before, during, and after it passes through a proxy. No, it is not exposed to a proxy. For a proxy, the HTTP CONNECT means just "copy raw bytes around without any interpretation". The proxy does see in plain text the part of url that is in caps here: HTTPS://EXAMPLE.COM:9443/secret/place. It doesn't see the rest of url or anything else; doesn't see headers or data. (If a proxy is really intrusive and decrypts and re-encrypts your session it is visible via a certificate. Your browser would need to be compromised to trust a man-in-the-middle certificate. Uncompromised browser quite visibly warns you.)

Practically, using http only between a browser and a proxy is presently the most popular way of proxying.

Complexion answered 10/1, 2018 at 22:20 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.