|
|
|
|
|
|
by patcheudor
3119 days ago
|
|
|
>So, when I use your proxy you can see and store my http and https traffic (assuming I install the certificate in my device) Not just see and store, but obviously also tamper with if you want to be thorough in a risk statement. For years I've done presentations and whatnot to top notch web developers where I've invited them to connect to my proxy in order to demonstrate security flaws - rarely asking them to install my root CA. No matter how many warnings and disclaimers I provide, I always see sensitive traffic through my proxy because someone always connects, despite my advisement against it, with the machine they use for work as opposed to a test VM. Further, weeks after a presentation, I'll still have people connecting through my proxy because they forgot to clear out the settings. Be very, very, very cautious about using this service and do so on a machine that's not configured with email or anything else you care about or will be in the future. Even if you don't install the root CA, there are enough serious flaws in enough non-browser clients (email, chat, and whatnot) as well as sites we tend to use frequently that you should consider that even proxy exposure of HTTP traffic could be a security issue. |
|
|
On debugProxy, username and password "sessions" are disabled after 20 minutes of inactivity. This was implemented, in part, to combat the issue of people forgetting they were still connected to the proxy.
Also, I don't want to, nor do I have a enough disk space to store things for long. So body data over 20 minutes old is periodically permanently removed. Header data lasts a bit longer, but is also periodically permanently removed.
This will not prevent users sending private credentials over the proxy, but it's hard to prevent that as you say, so hopefully this mitigates the problem a bit.
Of course you still have to trust the service, for some people that will be totally unacceptable, which is fine.