vpn – Store cookies for multiple sites on remote server and connect from multiple clients


No, it won’t be any practical nor solve anything.

First, there are cookies set or read from Javascript. Those cookies won’t be stored on the server and will be different on each device. Every site using them will fail somehow. Sites that store the browser on a session variable will detect that your cookie was used with Firefox mobile and desktop, and may lock your session or password for suspected session hijack.

Second, it increases the complexity considerably, without any benefit. Having a custom VPN on each device is costly, both on speed and on battery consumption. Using a proxy on the server would be simpler, but will reduce speed as well.

Third, you will have to install a custom CA on each device, intercept the SSL connection server-side, create a certificate on-fly and encrypt the connection with the generated certificate before sending to the client. This is a huge issue if someone hacks into the server (more on this later).

Lastly, you will have to maintain a backend infrastructure to store and manage every cookie, and write a custom process to check every HTTP header, strip all cookies, store them securely, and send to the client. On the other side, you will have to intercept every connection from every client, search for cookies, alter the request, and add the cookies.

I could keep diverse and very strong passwords for every website

You would better use a password manager for that.

logging in to all the sites I use on a new device only requires one sign in

With a password manager, one keystroke will login you back.

If the authentication to my custom VPN is cracked, then every website I’ve logged into would be accessible

Only cookies would be stored digitally, so if anything went wrong server-side, my passwords would be safe

Not even close. The cookies are the least of your problems. If something goes wrong server-side (like an attacker compromising it), the attacker will be in position to MitM every single HTTP/HTTPS connection you have. They have the private key of your custom, trusted CA, and can create valid certificates for everything. A custom CA enables you (and the attacker also) to bypass HSTS validation, so even websites protected by HSTS will be able to be attacked.

Imagine downloading a driver for any device you have, and the attacker changing the download on-fly to embed a root-level backdoor and keep the device signed. Or going to your bank to transfer money to someone, and the attacker changing server-side all transfer details but keeping the client-side unchanged, so you put the destination account on the form, read the confirmation page with the correct destination, press “Confirm” to send the money, read the confirmation page with the correct details, but server-side the attacker wired the money somewhere else. And that is possible because of the custom CA and the interception proxy.

They will have access to every single website you already accessed, and have access to every single website you access from that point on, being able to read and change anything at will. And be able to even change sites that you never accessed before, even when you don’t use your custom proxy.

How? HTTP Caching. He can backdoor, for example, https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/jquery.js or https://code.jquery.com/jquery-3.5.1.js and put a very long expiration date. As soon as your browser cache this backdoored version, it does not matter if you are using the proxy or not, every site that uses this CDN version of JQuery can be compromised.

It’s not as cool?

For me, looks like a disaster waiting to happen…