Millions of people across the world use free proxy services to bypass censorship filters, improve online security, and access websites that aren’t available in their country. But an analysis has found those free services come at an unexpected cost for users: their privacy and security. Christian Haschek, an Austria-based security researcher, wrote a script that analyzed 443 open proxies, which route web traffic through an alternate, often pseudo-anonymous, computer network. The script tested the proxies to see if they modified site content or allowed users to browse sites while using encryption. According to Haschek’s research, just 21 percent of the tested proxies weren’t “shady.”
Haschek found that the other 79 percent of surveyed proxy services forbid secure, HTTPS traffic.
HTTPS is commonly used to encrypt Web traffic, allowing users to enter credit cards, passwords, and other sensitive information in a manner that makes it difficult for hackers and intermediaries to intercept. By preventing customers from using the Web securely, Haschek warns these open proxies “can analyze your traffic and steal your logins.”
Proxy usage has been growing over the years along with the rise of content streaming services and growing fears of government surveillance of internet activity. Virtual Private Networks (VPNs), which encrypts all your traffic and routes it through another server to mask your location, are commonly used by people looking to bypass geolocation restrictions on services such as Netflix, Hulu, and BBC iPlayer. And by masking user’s locations, software and media pirates have also flocked to VPNs to make it more difficult for content owners to sue them in court.
VPN services are also popular in countries with strict Internet laws. They have been used in China, particularly by foreigners looking to access Western websites blocked by the Great Firewall, until the Chinese government moved to block VPN access earlier this year. In April, many Australians started using VPNs after the government passed a mandatory data retention law. As a result, CNET reported that one VPN provider’s Australian business increased 500 percent between early March and mid-April.
At the same time, in the past few months free VPN services have been tied to deceptive business practices. Hola, an Israeli VPN service that boasts over 48 million users, was widely criticized last month for selling its free-tier users’ idle bandwidth. This meant Hola’s millions of free users were unknowingly turned into a botnet that was utilized for criminal activities, including repeated denial-of-service attacks against the message board 8chan.
Haschek’s analysis didn’t uncover anything quiet so sinister, but noted some of the reviewed services were “definitely bad adware.” A previous report from the security researcher noted that many of these free proxies exist because establishing the service serves as “an easy way to infect thousands of users and collect their data.”
According to that report, Haschek observed that controlling a VPN services makes it is easy to manipulate websites to steal login information, banking and credit card accounts, turn users into a distributed denial-of-service attack botnet, and monitor all their Web activities.
Finding Safe Alternatives
To help combat the security vulnerabilities users expose themselves to when using free proxies, Haschek released a tool called Proxy Checker, which performs a cursory evaluation on any proxy service in use to ensure it isn’t manipulating content or forcing users to forgo encryption.
But Haschek recommends avoiding free proxies altogether. Fortunately, secure alternatives exist.
Using a paid VPN or proxy service is a good place to start. Because these paid services rely on monthly subscription revenue to support their operation, they don’t have to resort to breaking encryption to serve ads or selling there users’ traffic off, as was the case with Hola. For Jonathan Roudier, president of the widely recommended VPN service Private Internet Access, privacy is the focus.
“We wanted to offer the best privacy and security available,” Roudier told WIRED. “That comes at a cost.”
Roudier noted that paid VPN services have other benefits over free offerings that go beyond security, including providing customer support, not placing bandwidth restrictions on users, and allowing users to choose which encryption method to use.
However, not all paid VPNs services equally prioritize their users’ security. When shopping for a VPN service, it is recommended to find a service that does not log its customers’ traffic and prevents an anonymity-unmasking issue known as IPv6 leakage. Both Private Internet Access and another popular service, Mullvad, carry that level of security. Another provider, TorGuard, does not log user activity and allows users to prevent IPv6 leakage through an advanced setting in its VPN client.
Users can also use Tor, which is both free and regarded as one of the most secure anonymous browsing services available. However, Tor relies on volunteer-run servers to relay traffic and bounces that traffic across the globe, which means you can kiss smoothly streaming of HD video goodbye.
Ultimately, there is no silver bullet to ensure complete security and privacy online. But when entrusting your Internet traffic to third party, its best to use a service that isn’t basing its business on serving ads—and weakening your security.