This is the third installment of a three-part series on the pros and cons of anonymous proxy services. Read the first installment here and listen to the second installment here.
There are a variety of legitimate reasons for security professionals to use anonymous proxy servers. But would they trust a third-party service that lives on the Web?
Dallas-based security practitioner Kevin Nixon's three-word answer: "No! No! No!"
Using a Web-based anonymous proxy service is about as safe and useful as a frontal lobotomy, says Nixon, a specialist in data privacy and international regulatory compliance.
"If you need more proof, just ask [US Republican VP candidate] Sarah Palin, who had her email hacked because" a hacker was able to easily access her Yahoo e-mail account information via the Ctunnel.com proxy service. Services like that have lax user policies, Nixon says, adding, "Why would anyone hand over a complete list of trusted TCP/IP addresses to any company that has [loose policies] like Ctunnel?"
Web-based anonymizers like this aren't compliant with regulations and industry standards such as FISMA, FACTA, HIPAA, GLBA or SOX, and trusting them sets the user up for an experience like the one Palin was forced to endure, Nixon says.
His concerns reflect those of others CSOonline interviewed regarding the trustworthiness of Web-based anonymous proxy services. One can never be sure who is controlling a given proxy or how strict their moral code may be, which is why George Johnson, chief security officer at the National Center for Crisis and Continuity Coordination (NC4), would never use one.
"Anyone who really cares about protecting what they are doing should not use a random proxy as you do not know who is controlling it," he says. "They could indeed be capturing all of your traffic and it could then be used against you at a later date."
He says those who truly care about the privacy of their transactions must do their homework and understand what protections are provided by the service they are thinking of using.
"That is difficult because it's hard to understand all of the players in the communications link," he says. "I am not aware of a single service that provides enough transparency for people to make an educated decision."