There are a variety of reasons why online entrepreneurs and marketers need to have access to proxies and multiple IP addresses. However at the core of these is maintaining the ability to operate different digital identities. For the ordinary user a single identity may be sufficient as long as you’re not too worried about the tracking and monitoring that goes on. Yet for the entrepreneur who needs to run multiple social accounts using tools like Jarvee, need to run different search queries or simply needs to operate in different countries then it’s pretty much essential. Your IP address is at the core of most digital authentication systems, it’s the most important piece of information that websites have about ‘where you’re from’ and ‘what type of user are you?’.
It’s much more straight forward in the physical world of course, questions of identity are easier to answer. The typical method in the real world is of course some sort of physical pass or token, like an identity badge or card. We trust or allow access to the bearer of the pass as long as we trust who issued and authenticated it in the first place. Within security circles these identification tokens are normally referred to as credentials and they can potentially exist in the digital world too.
Digital credentials in many ways determine your access online to different websites and resources. Sometimes they are used to restrict and block access to paid resources, often they are used to filter and restrict based on other factors such as location. Many websites have complicated infrastructure and mechanisms designed to build up more detail to these identities, often without the acknowledgement of the individuals involved.
Digital Authentication Systems
The core of any authentication system is some sort of credential. These can come in all sorts of different forms but can be created using one or more authentication factors. here’s some of the more common basis of modern credentials –
- Something you know
- Something you have
- Something you are
- Some combination of the above.
As far as security goes, the more of these factors which are used the more secure it is. However for many systems these are built up quietly in the background often without the knowledge of the user involved.
Now not everyone will instantly identify that cookies are identity credentials, but in fact they represent the most prevalent form of credentials on the internet. We’ve all probably heard the term but what exactly do they represent. A cookie can actually be many things containing information such as a handle, transaction ID or some sort of agreement between disparate systems. To give you a real world example of a ‘cookie’ think of something like a ticket to a pawnshop, it has no use or value except between the two involved int he transaction – i.e. the customer and the pawn shop.
However on the internet, cookies are normally exchanged using the browsers that people use to surf the web and the servers that host the websites themselves. Cookies are used to tie the user with the activity or transactions completed over the internet. For those of us who are trying to hide our locations and identities then obviously any tracking processes need to be avoided wherever possible.
Here’s a rough list of the rules that are followed when cookies are deployed –
- Web servers asks browser to stored some information for it.
- Web server chooses information to send to browser.
- Browser stores the information in the cookie and passes it back.
- Browser choose the cookie and file format but doesn’t alter information
- Cookie contains no personal information
- Cookie must not be a program, executable or contain any code. It also has no access to other information on that computer.
- Next visit to the web site, the cookie will be sent back to the web server.
They play an essential role in identifying and tracking a user when they visit a web site. Without cookies, you’d be starting from scratch each time you visited a web site – primarily because HTTP is a stateless protocol where every request looks like a completely different session. Of course this is what you want if you’re concerned with managing multiple identities or maintaining a level of privacy.
However they certainly can make life easier when using complicated websites. Cookies allow functionality like filling in forms for you, maintaining shopping baskets or even remembering your password for you between visits.
How Do Proxies Handle Cookies – Non-Static Routes
Many cookies are simply text files stored locally by the browser however this cannot always be the case. If cookies are being used as proper authentication credentials then obviously storing a password in clear text is not a sensible options. Typically the information will be encoded in a cookie, together with a small fingerprint of the encoded data. The MD5 signature is often used to prevent tamering and spoofing risks of people intercepting the cookie file.
Here’s the sort of items included in the signature –
- User ID.
- Original IP address of request.
- Expiration time of the cookie.
- Fingerprint of the cookie.
So in our example above, the user ID and the expiration would probably be in clear text and also encoded within the MD5 digest section too. This would also include the original IP address and some random string generated by the server to identify the specific client.
The MD5 section is used to ensure the cookie is valid, the digest will normally be calculated from the user ID and the expiration time plus the other pieces of data including the random server generated string. The server will validate the cookie in several ways – usually starting by looking up the IP address of the incoming connection, the random string – these are typically used to calculate the MD5 signature which can be compared with the signature contained in the cookie. If they match the cookie will be accepted and valid otherwise the cookie will be discarded as invalid.
The crucial factor here for authentication purposes is the random string, as without this it’s almost impossible to generate a piece of data with a matching MD5 signature. The other data is either visible in the cookie in clear text or can be determined from the network connection as is the case with the IP address. Remember this random string is only known to the server, and can be generated through a variety of methods – often completely random or generated based on some global variable or the other information in the cookie.
The difficulty of course when using proxies is that there is potential confusion because the transaction is not simply between two endpoints (the client and server). A standard HTTP cookie is designed to maintain state between the client and the origin server. They cannot be used for storing the state between a client and proxy server or even between multiple proxies.
Most proxies are simply set to forward cookies without any interference, however this ‘hands off’ approach won’t solve all issues. One of the big issues is that the IP address is used for direct authentication in the cookie and often also to create the MD5 signature too. One issue is that although the IP address of the client may be relatively static but the proxies quite often aren’t. Often the proxy will rotate IP addresses so there will be different source IP addresses used within the same cookie. This will normally make the cookie invalid and it will be discarded automatically.