How HTTPS Works Over Proxy

HyperText Transfer Protocol (HTTP) is the basic underlying technology facilitating communication over the internet. HTTPS extends the HyperText Transfer Protocol, adding an encryption layer to data transmitted over the connection.

In recent years, HTTPS has become the standard protocol for nearly all websites. While the increased security is a welcome change, it has introduced some complications for proxy users.

Thankfully, proxy providers have developed solutions for Secure HTTP connections to function correctly. This article will give an overview of how proxies can work with HTTPS.

Proxies over HTTPS: Understanding the Problem

HTTPS prevents eavesdropping by design. Therefore any mediator between the client and server should cease to function over HTTPS. This feature is part of what makes online shopping and banking viable. When using HTTPS, you can be sure that no third party is listening in on your transaction.

The definition of a proxy is a mediating host between the server and client— usually to mask the client’s actual location. At first, it might seem like these two technologies are mutually exclusive, and for a while, that was correct.

To the end-user, connecting to a website over HTTPS may not seem any different than regular HTTP; things are unique under the hood. Behind the scenes, your web browser establishes a chain of trust between your device and the webserver. Verifying this chain involves checking identity certificates, digital fingerprints assigned to servers, and passing encryption keys. Many proxies will not pass this initial step of establishing the trust chain to initialize the secure connection.

Establishing a Secure Proxied Connection

An HTTP connection consists of several stages. The initial step is to contact the server over a designated TCP port; this happens regardless of whether the connection is encrypted or not.

Step two is where the security handshake begins. Depending on the specific technology of the server, this could be basic SSL or the newer TLS standard. A proxy that correctly supports secure connections will usually pass this handshaking step in one of two ways:

  1. The proxy will keep itself outside of the trust chain and merely act as a forwarder when necessary. This method is simpler to set up but less secure, as the initial handshake messages and all certificates will be passed unencrypted through the proxy.
  2. The proxy is also an SSL/TLS server and can establish a second level of authentication with the client. This method provides an additional layer of encryption— essentially a bubble within a bubble. Consequently, any third parties will not be able to discern the certificates in transit.

In rare cases, there may be proxies configured to utilize both methods simultaneously. These proxies will establish a separate secure connection with a client and remove themselves from the trust chain between the client and the target server.

For example, a client in the United States establishes a secure connection to a proxy in India to access a particular website. The proxy then passes secure requests to the website without including itself in the trust chain between the website and the client. This method is ultimately the safest, as all connection points remain encrypted, with the proxy keeping itself blind to the data.

To CONNECT, or not to CONNECT

Another type of proxy that can operate with HTTPS is called the transparent proxy. As the name implies, these proxies work in the background without being noticed by the user. A typical example of transparent proxies includes CDNs, cache servers that can speed up website data delivery.

Free caching software such as Squid allows users to set up transparent caching proxies capable of creating tunneled HTTPS connections using the connect command. The connect directive is part of the HTTP/1.1 specification as defined in RFC 2187.

The syntax for using the connect command can be as simple as two HTTP headers:

CONNECT foo.bar.com:80 HTTP/1.1

Host: bar.com:80

The above example will initiate a tunneling connection to the remote server.

Additional Security Considerations

One of the challenges regarding HTTPS and proxies is user privacy. The function of a proxy is to establish connections and pass data back and forth. However, the quality of that connection is crucial.

As a security-conscious user, you should inspect the type of encryption your proxy supports. You should also examine if your proxy acts as a man-in-the-middle in your trust chain.

Since the proxy server merely passes internet traffic, ensure that it has strong security measures, such as a robust firewall and antivirus.

Finally, remember that while most data is encrypted using a secure proxy, DNS requests are typically not encrypted. Anyone monitoring your connection will still see the host websites you are viewing.

By keeping these facts in mind, you will be better equipped to browse the internet securely and safely.