Third-Party Anonymous Proxies? No! No! No!

Two security pros explain why they'd never use an anonymous proxy service from a Web-based third party. Part three in a series

This is the third installment of a three-part series on the pros and cons of anonymous proxy services. Read the first installment here and listen to the second installment here.

There are a variety of legitimate reasons for security professionals to use anonymous proxy servers. But would they trust a third-party service that lives on the Web?

Dallas-based security practitioner Kevin Nixon's three-word answer: "No! No! No!"

Using a Web-based anonymous proxy service is about as safe and useful as a frontal lobotomy, says Nixon, a specialist in data privacy and international regulatory compliance.

"If you need more proof, just ask [Alaska Gov. and Republican VP candidate] Sarah Palin, who had her email hacked because" a hacker was able to easily access her Yahoo e-mail account information via the Ctunnel.com proxy service. Services like that have lax user policies, Nixon says, adding, "Why would anyone hand over a complete list of trusted TCP/IP addresses to any company that has [loose policies] like Ctunnel?"

Web-based anonymizers like this aren't compliant with regulations and industry standards such as FISMA, FACTA, HIPAA, GLBA or SOX, and trusting them sets the user up for an experience like the one Palin was forced to endure, Nixon says.

His concerns reflect those of others CSOonline interviewed regarding the trustworthiness of Web-based anonymous proxy services. One can never be sure who is controlling a given proxy or how strict their moral code may be, which is why George Johnson, chief security officer at the National Center for Crisis and Continuity Coordination (NC4), would never use one.

"Anyone who really cares about protecting what they are doing should not use a random proxy as you do not know who is controlling it," he says. "They could indeed be capturing all of your traffic and it could then be used against you at a later date."

He says those who truly care about the privacy of their transactions must do their homework and understand what protections are provided by the service they are thinking of using.

"That is difficult because it's hard to understand all of the players in the communications link," he says. "I am not aware of a single service that provides enough transparency for people to make an educated decision."

Despite these warnings, there's ample evidence that many people are throwing caution to the wind and putting their trust in these services.

In its recently-released "Application Usage and Risk Report," Palo Alto Networks examined more than 60 companies representing more than 960,000 users. Among the findings: 17 different proxy applications were found across 80 percent of the organizations studied.

"The most startling fact outside of the overall frequency is the sheer number of different proxies found in some of the organizations," the report said. "There were several organizations where as many as eight different non-IT supported proxies were found. The most common examples outside of the traditional, corporate-endorsed HTTP proxy were CGIproxy and PHProxy which were found in [up to] 65 percent of the organizations. It is a safe assertion that these applications are being used to conceal some type of user activity or bypass existing URL filtering policies."

Chris King, director of product marketing at Palo Alto Networks, notes that there are reputable services that function in an honest manner, but there are also the seedier services that drop spyware and the like on the user's machine. The trouble is that it can be difficult to tell which is which, especially when IT can't control what's being used.

Security pros who do use anonymous proxies have noted that they come in handy for researching purposes. But they rely on proxies created in-house, where they can control how and when they are used. Anononymizers run by third parties on the Web represent something different and less trustworthy, they say.

Copyright © 2008 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.