Re: https proxy

From: John Hazen (john_at_hazen.net)
Date: 07/28/04 

Date: Tue, 27 Jul 2004 19:25:27 -0700
To: python-list@python.org

* Peter Hansen <peter@engcorp.com> [2004-07-27 13:55]:
> Paul Sweeney wrote:
>
> >I wish to access an https:// site using my browser and click around it. I
> >wish to see the http(s) GET urls and http(s) POST urls and data which are
> >being sent to the https server. If the site were an http:// site I would
> >use a tool like ethereal to see what was going on, but this data is sent
> >encrypted from the browser due to the https connection, so I'll just see
> >the
> >encrypted data. So I need a tool to view the unencrypted form of the data
> >which is being sent encrypted (sorry for being unclear about the
> >"unecrypted
> >data" in my last post, I hope this is better).
>
> Based on what you say here, I think the answer is back to being
> "impossible". The encryption is going on in the browser. If
> the browser thinks it's talking HTTPS, then it will encrypt
> stuff and talk HTTPS. Nothing between the browser end of the
> socket and the server end of the socket will be able to
> decrypt it.

Although, if this is just for testing, I think you could trick the
browser by running a proxy on a different machine that accepts an HTTPS
connection, and creates another HTTPS connection with the destination
server. Then run your own DNS server that hands back bogus answers to
every request resolving to the proxy's IP address.

The browser will talk HTTPS to the proxy, thinking it's talking to the
target server. Of course, this will trigger the "certificate doesn't
match IP address" type of warning, but I think most browsers will let
you continue after warning you. (If not, you could probably still get
around it with the gross hack of having the DNS server communicate with
the proxy, so the proxy could generate on the fly a certificate for the
server name that the browser is trying to reach. This would get you the
"certificate can't be verified" type of error, which is definitely one
that you can continue after acknowledging.)

So, if it's just for testing and research, that might work. Obviously,
it's not a viable setup if you're trying to use it to snoop on the
conversations of unsuspecting users (which I'm not accusing you of, but
it's a much harder problem).

-John

Relevant Pages

  • Re: https proxy
    ... >> data which are being sent to the https server. ... >> https connection, so I'll just see the encrypted data. ... > have to present its own server certificate to the browser, ... This is exactly what the java Paros tool does, but I'd like to have a Python ...
    (comp.lang.python)
  • Re: Open browser and post to https page
    ... >> and password to a server via HTTPS? ... > I want to know if it is possible for the windows application, ... > application opens a full browser window, ...
    (comp.lang.basic.visual.misc)
  • Re: Outlook 2003 cant see Exch 2003 over RPC
    ... To help you troubleshoot RPC try RPC Ping, ... working on the LAN side is my priority rather than the external HTTPS ... server endpoints and let me see what it's trying to do and perhaps what's ... You stated you did get RPC over HTTP to work for a while when the SBS ...
    (microsoft.public.exchange.setup)
  • Re: A basic/newbie question on https.
    ... 'u1' and password 'p1' from within a browser. ... that the browser on the same client machine points to, ... Paros Proxy can do this. ... I know https is a secure protocol; what I don't know is the point at ...
    (comp.security.misc)
  • Re: J2EE container managed security
    ... I use it because it's easy: the application server decides if the user has ... I find it not to be versatile, ... proxy (HTTPS only), which redirects the request via HTTP. ...
    (comp.lang.java.programmer)