I was asked by a friend earlier today to help her find an anonymizer proxy, since she can't get to MySpace and FaceBook from work. I googled around a little and gave her some options (all of which were blocked by her web filter, by the way) but then something else struck me.
I wondered how many people use these "proxies" every day, and what juicy information pumps through them.
By nature, "anonymizer proxies" are a man-in-the-middle type of node, which is typically presented in the form of a web-page which opens the user's desired site or page in a frame. Think about that. How many people do you suppose use those proxies to do things like browse MySpace, Facebook, ESPN and other typically-blocked sites? I suspect that there are many, many people who do this. Then on the extreme end of this example, how many people use those proxies to check their bank balance? I'm sure that number isn't huge, and hopefully people know better - but do they?
I get that 90% of anonymizer proxy traffic is to sites that are typically blocked from where you're browsing (actually... lots of these anonymizer sites are blocked too, so...) but there are user IDs, passwords, and other credentials floating through these proxies... and I wonder if there's someone that's set one of these up, with a full request/response dump happening there for certain web sites, or simply looking for specific credentials or passwords. I've thought about it and then thought of doing a project. What if I set one of these up, and advertised it as an open, fully-anonymous proxy (meaning I don't log the sources of requests) but then put a EULA clause that allows me to 'monitor' traffic, and by that I mean dump logins, passwords, and other juicy information - for research purposes only, of course.
I wonder how long it would take to get traffic on this hypothetical site, and how much cool stuff I could collect. And I wonder how many sites are already out there doing this...
This fascinates me, so if you have any information that would be enlightening - post a comment or email me directly.