Marco commented that the CSS history hack doesn’t work with hidemyass.com. Never having been there, I found myself clicking around on their site to find that it’s yet another CGI proxy. So after a few minutes of playing around here is the list of problems or potential problems I have with hidemyass.com and most of the the sites that are similar. Here are the top 10 biggest problems that I see (yes I had to limit myself to 10 because this list was getting out of control), in no particular order:
#1 - First thing I did was go to Youtube, and then I visited one of my own sites. It turns out that cookies set by Youtube are sent to my site on subsequent requests. So there is no cross domain boundaries for cookies. That’s a huge no-no and would easily de-obfuscate where you’ve been, not to mention giving the other site access to your account.
#2 - The site sends a referrer of the hidemyass.com website, so you can easily see that the user came from there.
#3 - The site is still vulnerable to the CSS history hack, but instead of picking one of the sub-urls, you’d just pick the main one of http://hidemyass.com/ and poof!
#4 - The proxy doesn’t re-write the JavaScript, so it’s easy to just call yourself in the JavaScript to see that they are using this service.
#5 - Since every site resides on the same CGI proxy’d domain it’s trivial to see what other domains have been logged into and more importantly, what the content is on those other pages.
#6 - What happens when the site is SSL? Does it even work or does it downgrade you into non-ssl? Either way…
#7 - Same question as above, but what about FTP, SMB and all the other protocols out there…? Either they work or they don’t. Either way, bad news.
#8 - The IP addresses aren’t diverse enough - usually the same set of a handful of IPs, and therefore can be tracked, and/or can cause flood limits on sites looking for that sort of thing.
#9 - Sites like these tend to be run by bad guys, and tend to log whatever information is sent over the wire. What a great place to man in the middle someone - right? Even if they weren’t run by bad guys, they could easily be hacked into in many cases, in which case, every user who utilizes it is potentially in danger.
#10 - Sites like this tend to muck with the HTML of the page they output, making them trivial to detect in JavaScript space, and worse yet, they often can cause major CSS collisions with other page content, or even be overwritten in such a way that the user thinks they are interacting with the CGI Proxy and doing something benign but in fact the user is performing an action that can hurt them.
So yeah, please don’t use CGI proxies, unless you really know what you’re doing. They really very rarely increase your security. Most of the time, they just decrease it, as a matter of fact. And yes, this applies to the dozen or so other sites that the same company runs and the hundreds of others you find mentioned on digg.com and the like. Avoid them, unless you simply don’t care about any of these risks.