In Depth

Third-Party Anonymous Proxies? No! No! No!

Two security pros explain why they'd never use an anonymous proxy service from a Web-based third party. Part three in a series

By Bill Brenner, Senior Editor

October 21, 2008CSO

This is the third installment of a three-part series on the pros and cons of anonymous proxy services. Read the first installment here and listen to the second installment here.

There are a variety of legitimate reasons for security professionals to use anonymous proxy servers. But would they trust a third-party service that lives on the Web?

Dallas-based security practitioner Kevin Nixon's three-word answer: "No! No! No!"

Using a Web-based anonymous proxy service is about as safe and useful as a frontal lobotomy, says Nixon, a specialist in data privacy and international regulatory compliance.

"If you need more proof, just ask [Alaska Gov. and Republican VP candidate] Sarah Palin, who had her email hacked because" a hacker was able to easily access her Yahoo e-mail account information via the Ctunnel.com proxy service. Services like that have lax user policies, Nixon says, adding, "Why would anyone hand over a complete list of trusted TCP/IP addresses to any company that has [loose policies] like Ctunnel?"

Web-based anonymizers like this aren't compliant with regulations and industry standards such as FISMA, FACTA, HIPAA, GLBA or SOX, and trusting them sets the user up for an experience like the one Palin was forced to endure, Nixon says.

His concerns reflect those of others CSOonline interviewed regarding the trustworthiness of Web-based anonymous proxy services. One can never be sure who is controlling a given proxy or how strict their moral code may be, which is why George Johnson, chief security officer at the National Center for Crisis and Continuity Coordination (NC4), would never use one.

"Anyone who really cares about protecting what they are doing should not use a random proxy as you do not know who is controlling it," he says. "They could indeed be capturing all of your traffic and it could then be used against you at a later date."

He says those who truly care about the privacy of their transactions must do their homework and understand what protections are provided by the service they are thinking of using.

"That is difficult because it's hard to understand all of the players in the communications link," he says. "I am not aware of a single service that provides enough transparency for people to make an educated decision."

Despite these warnings, there's ample evidence that many people are throwing caution to the wind and putting their trust in these services.

In its recently-released "Application Usage and Risk Report," Palo Alto Networks examined more than 60 companies representing more than 960,000 users. Among the findings: 17 different proxy applications were found across 80 percent of the organizations studied.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WEBCAST
Safeguarding the New Currency of Business

PricewaterhouseCoopersWatch this webcast to learn how your organization can leverage PricewaterhouseCoopers' Global Information Security Survey 2008, the world's largest survey on privacy and infosec practices.

» View the webcast

Featured Sponsors