Proxy Servers - Encrypted Tunnels

When you make a connection to a website, what you are actually doing is connecting to a server at some place in the world. You request some packages from the server, and depending on whether you have access to them or not, it responds back to you. As a result of this process, you are able to view this webpage. However, in the modern web what you are actually connecting first is a server side proxy, which basically acts like a bridge.

Let's say our lovely characters Alice and Bob is trying to communicate. Alice goes and ask the proxy server, "What does Bob think about X?". The server does what is requested, and asks Bob the question. Then, the answer is send back to Alice. You may think of it as an entity in the middle of the conversation.

Instead of reaching directly to Bob, why would we want something in the middle? Well..., we don't want that every time. If there are a lot of requests to reach Bob and they need to be filtered, it can be performed on the proxy server. This is one of the many usages of a proxy. If you've been on the internet for a while, you've probably seen a page like below.

In this case it is used to prevent the access for spammers or botnets. Similar to the, I'm not a robot test, but in a different way.

Proxy as a means to reach a place

A proxy is not necessarily a server side application. You could use a proxy locally to connect to some service on the internet. You might be tempted to ask "Why for god's sake would anyone want to do that?". You may want to not reveal your local home IP address to whatever server you are connecting to. Let's say you wish to learn more about the human anatomy and there is a specific place you wish to connect to, but for whatever reason it is blocked on your country. You could fix this problem with a proxy.

This could also be used to block certain kinds of content, or filter publicly known malicious websites. Basically, when you try to make a connection with a server that is known to be malicious, before even establishing a connection, your computer/browser would warn you about the possible security risks ahead. In fact you are already doing this with a DNS, right now. If you do not specify an address yourself, a DNS server will probably be picked by your internet service provider. In a nutshell, a DNS server lets you connect to an IP address using human readable syntax. For instance, you are reading this from math462.mathwizard.xyz, but that is not an IP address, is it ? The IP address for my website is known by your DNS provider, and when you type this address to your browser, it redirected you to my server. This is also a proxy, in a way.

Proxy as a means of distributing a service

Commonly known big websites that get a lot of traffic will try to redirect you to a server that is closer to you, so that you can view the website contents faster. The idea is that, there is one main server, and it has many clones around the world that gets the data from this main server, and it cashes it. What does that even mean ? It basically creates a copy of that content on the server that is closer to you, so that you don't need to download that data from the main server, which is the website content here.

Using your browser, you probably switched to an entirely different website and then came back to the previous one before. You will realize that it sometimes loads instantly. The reason for that is your browser cashes some piece of data, that is required to view that page for some period of time. These are in most systems temporary files, and they will be deleted after you close the program. If it is a commonly used application that piece of software may choose to keep it for a longer time, unless specified otherwise by you. This lets you view a content faster, and you don't need to download the same thing over and over again.

Proxy as a means of secure communication

You are connected to this website using HTTPS, which stands for Hypertext Transfer Protocol Secure. This is an extension of the old standard HTTP and it is commonly used today. Almost any modern browser will not even let you connect to a website that uses plain HTTP without giving you a warning prompt. If you know the basics for antisymmetric key exchange, you already know what's behind this protocol. If you have no idea, you are encouraged to check out, Encryption-101.

There is probably a 🔒 icon telling you that your connection to this website is secure. Your browser let's you see even more information, if you ask for it.

From there, you could see which TLS version they are using (which we will talk about later), what encryption method they use, what is the certificate and who is the organization behind it that verified it. When you try to send some piece of information to the server, the packets are encrypted using the public key of the server, before leaving your device. This ensures that in the likelihood that a third party is eavesdropping on the connection, they can not see the contents of the package. This is called a man in the middle attack.

Keep in mind that HTTPS only ensures that the connection between you and the real server is secure, assuming that you are actually connecting to the real server. Somebody else can still impersonate the real server you are trying to reach, and act as if everything is fine, meanwhile all data sent from your browser is completely available to the attacker. It is the user's responsibility to make sure that you are trying to connect to the right place. This is one of many benefits of knowing about secured communication protocols, because you are way less likely to fall victim to a phishing attack. The contents of a website can be mimicked, but the domain name can't be mimicked. I could create a website claiming to youtube.com, but I can not have that exact domain, it is already taken. For that reason, always check the website address before you send some piece of data.

Transport Layer Security (TLS)

If you setup your connection to an email server manually before, you probably at least heard of this. For instance, the mail server for Boğaziçi University has the settings below.

It is commonly used in messaging application, emails, websites and such. It start with the user requesting a TLS connection. If for that specific application, the server is designed to accept only TLS connections, which on most cases they are, it will simply not accept other connections. This is called a TLS handshake. It consist of the following.

• The server responds back to the client with a package including some information about the server, what it expects in return and also a certificate in most cases.
• The client's machine chooses a method that is suited for its environment, mostly the classic antisymmetric key exchange, or possibly Diffie-Hellman key exchange.
• Then, the client may either accept or decline this request. Many programs do this on the back, on your behalf, you may choose to manually do this, and verify that it actually belongs to that server.
• If the client agrees, handshake is completed, and encryption can be done using the exchanged key.

If this is just a simple key exchange, why do we need an entirely different protocol for this, did we not already had this before? Well, yes we did. TLS exists for mainly two reasons. First one being that, not every type of hardware supports every form of encryption. There are plenty out there, in case one of them can't be used by the client one of the others in the list can be utilized. It is helpful when there is a main protocol controlling the connection, which kind of became the industry standard.

The other one is to authenticate the certificates, and the program running on the server that is doing these tasks. There are trusted authorities around the world that issue these certificates, and all major browsers work together with them. This ensures that when you see a TLS sign on a website, with an issued certificate, you know for a fact that it does what it says. It is not another piece of program, that is doing something else under the same name. An argument can be made about whether or not this is the best solution to this issue, but right now this is what we have.

Keep in mind that these are all protocols to ensure that a man in the middle can not see your conversations with the server. However, it is up to the destination server to decide what to do with this data. If you are sharing this data with an advertising company which ultimately tries to track you, it doesn't matter so much that you made a connection with TLS. Yes, somebody else can't read it, but they are going the sell this data to the highest bidder anyways. For that reason, choose carefully who you are trusting this data with. TLS unfortunately can not protect you, if you lack common knowledge about the internet.

For even more detailed information you may check out here and here.

Among people proxies are mostly known for what they do, rather than just proxy servers. That's why you don't commonly hear people mention them. Because they are an invisible (in most cases) layer between you and the server, they are frequently misunderstood. If the proxy you are using is set up by the administrators of a service, and you trust them, it is fine. However, if you wish to use a local proxy, meaning that you knowingly want to pass your traffic through some place, you better know what you are doing. If you set that server up yourself, knowing ins and outs of it, from the bottom up every piece of software that is running on it, kudos to you my friend, you really are a computer wizard, and you probably knew everything mentioned in this article. If you didn't, which is what I am assuming, you are simply creating a bigger online fingerprint.

Using proxies makes you invisible

This topic is an entirely different article on its own, but we will just touch the basics here. Your IP address is not even a reliable way to identify who you are, because it will be changing every session and there is a good chance that one person connects to a service from many different places, for instance using a public cafe WiFi. Therefore, major websites do not just use an IP address, to understand who you are.

When you make a connection to widely known big websites, you share a ton of metadata with them. When a company's entire purpose is to track you online, they come up with very brilliant ways to do it under the hood, trust me on this one. If I made a list here containing the amount of metadata Google collects about you when you try to make a connection, this page would probably be longer than an average novel. Cookies that are stored in your session, your language preferences, the fonts that are installed on your system, your operating system, your mouse movement, the extensions on your browser, your screen resolution, your system time, should I keep going? I can do this the entire day.

Unless you are using something like Google Chrome, for some whatever reason, you can set your browser in such way that it either does not share that much information about you, or it simply shares fake general information, so that it is harder to identify you. The issue of anonymity is way deeper than one initially thinks. It also depends heavily on what you are trying to protect yourself against, is it the Fourteen eyes, or is it perhaps Boğaziçi Rektörlüğü ? In simple terms, you can not achieve that just with a proxy, this is a ridiculous claim.

Use a VPN, if you want to keep your data safe

If you've been on the internet for some time, you probably heard about VPNs, which stands for Virtual Private Networks. Just like the others mentioned above, they are another kind of proxy, acting on your behalf when you make a connection to a website. There are legitimate uses for a VPN, and I don't mean to say they are useless. They are useful to reach regionally blocked content.

At this point in the article provided that you actually read the material presented above, you should immediately see that this is a nonsense claim. Your data is kept safe using encryption tools like TLS, HTTPS, .... mentioned above. When you connect to a website that uses these protocols, nobody other than the server can read that data to begin with. You don't need a VPN for this, I would even argue that you are making the situation worse by using them. At least for this purpose. You simply shared where you are connecting to and what you are sending, with a third party that acts like a middle man.

If you consume video content online, you probably came across a VPN ad. By the way, you may use XXXXX-vpn.com with CODE: mathwizard to get %99 percent discount in your first purchase. Jokes aside, many people that advertise these products do not know what they are talking about, I don't mean any offense to them, but you should be taking their word with a grain of salt. I will not give VPN names here, but they can easily be found with a little web search. Many of them claim to have no logging policies, or absolute anonymity on the internet or claim that somebody can read what you send to website if you are not using their product. As an informed reader now, there is %0 chance that you will believe this claims, I hope.

You can sign into your bank just fine from the public internet of a cafe, provided that it uses HTTPS, which they absolutely do. Somebody can look at that traffic and see that you are making a connection to your bank, but they can not read the contents of those packages, they have no clue what you are doing there. This is the beauty, of public key cryptography. The information is out there, but only your intended recipient can read it.

If you would also like to watch somebody talk about this on a video, you may visit here.