Are *who* able to get your username / password when you are on the net?

If you mean can the proxy see that data / cookie then if the connection is simple http then yes as its all plaintext, if the connection is https then it takes a little more effort (ie a man-in-the-middle technique) but it is still possible for the proxy to see your data albeit a lot harder.

- Tony

Wow are u serious, then most of my passwords using to login into my yahoo mail would have been jeopardised?

Well that depends really;

If you have installed a popular proxy program on your local machine then more likely than not it does exactly what it says on the box, nothing to worry about - equally if you are buying a proxy service then you have very little to worry about.

In either case these people/organisations have a reason to give you a proper product which has not been tampered with, as obviously if it were tampered with it would make them look *very* bad indeed...

However the problems can start if you use random proxy addresses you find on the net, as the majority of these sites I've seen are built from user-contributions and/or automated scanning - this means that the owners of the proxies on the list may not want them to be there.

If the situation was reversed and you found out someone was using one of your machines illegally what would you do?

Some people put up rude notices or just stop external access to the machine, obviously the more technologically literate they are the more options are open to them.

So what can a proxy see/do?

If it's just http then yes that proxy could *in theory* see what you did to log in (assuming the login is HTTP based), although I'd have to say that that this would be very rare unless you got your list of proxies from a very questionable source as it would require a lot of log space and a lot of time to configure well.

Your average proxy normally does one of two things;

1) logs nothing (probably the admin doesn't quite understand what the proxy does and who it is accessible to!)

2) logs IP+URLs (might be how it is configured out of the box, or it might be intendeded to be open to the world but with the logging allowing some recourse if required, ie someone does a web hack through one)

Now let us step into the realm of malicous intent - you have to remember that the following scenarios are both possible and incredibly unlikely to be encountered unless someone is *really* out to get you or you are working with web-security systems...

Obviously HTTP is insecure - if the proxy wanted to change/log http traffic going between you and the website (or indeed the website and you) it could do so with *very* little effort, and it would be hard to detect unless you were looking for it...

HTTPS is essentially HTTP with a layer of encryption wrapped around it, this also means that changing the content mid-flow is pretty hard to do since any change will be detected as it breaks the encrpytion. To properly re-encrypt without breaking the flow you'd need the original certificate, which obviously you wouldn't have.

However, if memory serves there are a few IE bugs/fixes which relate to certificate security, specifically how to spoof them - 99% of the time unless the browser tells you the HTTPS connection has a problem how many people actually check the little pad-lock icon to see what it says?

- Tony

Thanks Tony for me giving an education to me on this. I'm currently using some free IP i got from the web when i type in free proxy -aka google. Bcoz certain sites like Godaddy, my only choice of accessing & purchasing a domain from them is through a proxy bcoz I realised that they ban certain range of country specific IP.
My worry would be if my yahoo emails password would be stolen. That would be a small matter but then what is privacy. I know that they can log the sites that one go to, but just wasn't sure if they can tap your password & id when u login using their proxy.
Now that you've mentioned, I'll used it sparingly.
Thanks Zech