English فارسی Suomi
Français Nederlands Translate

Circumvention Tools

CircumventionTools: BrowserProxyRisks

Web Proxy Risks

You should be aware of some of the risks associated with the use of Web proxies, especially those maintained by people or organizations you do not know. If you use a proxy to view a public Web site like npr.org, your only risk is that someone will know you were reading the news there (and using a proxy to do it). However, if you use a proxy to send private communications or to reach applications like Web mail, online banking or shopping, there is a risk that other people could access and misuse your information, including your private passwords, especially if those services don't use encryption or if the proxy prevents you from using that encryption.

Lack of Privacy

Systems to circumvent filtering or blocking do not necessarily provide anonymity (even those that may include words like "anonymizer" in their names!). If the link between you and the Web proxy is unencrypted (HTTP as opposed to HTTPS), as with many free Web proxy services, either the operator of the proxy or an intermediary such as an Internet Service Provider (ISP) can intercept and analyze the content. In that case, although circumvention may be successful, network operators can still track the fact that you have used a Web proxy and can determine the content and Web sites you visited.

A Web proxy that does not encrypt your connection sometimes uses other methods to avoid Internet filtering. For example, one simple technique is called ROT-13, in which the current letter of a URL is replaced by the one that is thirteen characters ahead of it in the standard Latin alphabet. (You can try it yourself at http://www.rot13.com/) Using ROT-13, the URL http://ice.citizenlab.org becomes uggc://vpr.pvgvmrayno.bet -- making it unrecognizable to a keyword filter. This may help you in reaching your Web destination, but has its weaknesses: the content of the session can still be detected and such measures can easily be reversed.


Advertising, viruses and malware

Some of the people who set up Web proxies do it to make money. This may be done simply and openly by selling advertisements on the pages. More maliciously, some proxy operators may try to infect the computers of those using their proxies with malware, or malicious software. These so-called "drive-by-downloads" can hijack your computer for spamming or other commercial or even illegal purposes.

The most important things you can do to protect against viruses is to keep all of your software -- including your operating system -- updated and to use an up-to-date antivirus scanner. You can also block ads by using the AdBlockPlus Extension for the Firefox Browser (http://www.adblockplus.org/). More information on avoiding these risks can be found at the StopBadware Web site (http://www.stopbadware.org/). 

The operator of ATunnel.com supports the free service by selling advertisements (in this example for razors). This is a typical example of an ad-supported proxy server.


Cookies and scripts

There are also risks concerning the use of cookies and scripts. Many Web proxies can be configured to remove cookies and scripts, but many sites (for example, social networking sites like Facebook) require the use of cookies and scripts. Be careful when enabling these options, because the cookies may be saved on your computer even after you restart it, and so could provide evidence of which sites you visited. One option is to allow selective use of Cookies. In Firefox 3, for instance, you can instruct the browser to accept cookies only "Until I close Firefox". (Similarly, you can instruct your browser to erase your browsing history when you close it.)

Some sites and advertisers can use these mechanisms to track you even when you use proxies. If you are trying to be anonymous, this can be a problem because this tracking can produce evidence, for example, that the person who did one thing openly is the same person who did another thing anonymously.

The proxy operator can see everything

Even though your connection to the Web-based circumventor may be secure (encrypted), the owner of the proxy will have access to the content of your communications after decrypting them. An additional security concern is the records (log files) that the proxy provider may keep. Depending on the circumventor's location, or the location of their server, authorities may have access to those log files.