SSL

[Caio Fernando Bertoldi Paes de Andrade]

Guys,

I saw that LittleProxy accepts SSL and I can browse HTTPS sites through it as well.

But my filters didn't work, as I already expected.

I know that access content and headers of a HTTPS session is near impossible because of cryptography.

But some research told me that some proxy approaches can let the proxy to do SSL stuff, and browser talks in plain-text with proxy.

Do LittleProxy have something like it?

Cheers,

Caio

[Adam Fisk]

Hi Caio- I have to apologize again for neglecting the group. I'll catch up on everything soon, but I wanted to quickly respond to this. All browsers I've seen use HTTP CONNECT when they're configured to use a proxy, and they tunnel SSL through HTTP CONNECT. That's the scenario LittleProxy handles. The intent behind this is to make it impossible for a proxy to MITM an SSL session, so it's directly designed to get around the scenario you're mentioning where the proxy can manipulate the traffic en route.

So the problem is really that no properly written browser will send SSL traffic to the proxy in plain text. It's certainly possible there's some way around that I'm unaware of, but I would be surprised since it would bypass a core element of security on the web more generally (safe use of proxies).

Are there specific examples you've seen of other proxies supporting this? The only scenario I can imagine is through some sort of browser plugin, again unless there's some exotic config I'm unaware of.

Thanks.

-Adam

[Caio Fernando Bertoldi Paes de Andrade]

Adam,

I am really thankful about your reply. :D

About browser sending plain-text to proxy and proxy making SSL stuff you are completely right, that happened on weak browsers in a time far far away. x)

But I still finding actual proxies that *claim* MITM SSL sessions, by creating a fake certificate and giving it to browser, then making SSL to remote server, and having plain-text access anyway. Charles and WebScarab *claim* to do that.

I really need to inject some HTML (a simple company bar) to proxy user, even in SSL. Through SOCKS I know I can't do that.

I will research HTTP CONNECT to understand better its functionality, and see if that helps me.

[dani...@gmail.com]

Caio,

What you talk about can be done using this :

http://crypto.stanford.edu/ssl-mitm/

It creates a fake certificate on the fly as you say. But as this is
a fake certificate the user will always see a certificate error on the
browser.
I have the need of change responses on SSL conncections too. As I
think this is not the main subject of this mailing list so you can
contact me off list about this. And I think we can talk on portuguese.
Using mitm-proxy you can see the http conversation in plain text. So
you can send you version of the page easily. You must only change some
properties on the response request (like Content-Length because you
page size will probabily be different of the original page).
But I am sure it can be done.
I did some implementations on top to mitm-proxy to make this happen
and I will be happy in share with you.

Danilo.

On 15 jul, 22:19, Caio Fernando Bertoldi Paes de Andrade

<caiof...@gmail.com> wrote:
> Adam,
>
> I am really thankful about your reply. :D
>
> About browser sending plain-text to proxy and proxy making SSL stuff you are
> completely right, that happened on weak browsers in a time far far away. x)
>
> But I still finding actual proxies that *claim* MITM SSL sessions, by
> creating a fake certificate and giving it to browser, then making SSL to

> remote server, and having plain-text access anyway. Charles<http://www.charlesproxy.com/documentation/proxying/ssl-proxying/> and
> WebScarab <https://www.owasp.org/index.php/WebScarab_SSL_Certificates> *claim*

[Caio Fernando Bertoldi Paes de Andrade]

@Danilo:

Thanks about you reply!

As we talked in off, I could prove the concept of MITM SSL having plain-text access. And I also noted that mitm-proxy has many limitations like no support for gzip and no support for charsets in filtering (LittleProxy actually doesn't have good charset support too but I am already working in something to do encode detection and I made some achieves).

@Adam:

What you think about give SSL MITM Proxying feature to LittleProxy? I can work on port that from mitm-proxy to LittleProxy.

[Caio Fernando Bertoldi Paes de Andrade]

@Adam:

I forked LittleProxy in GitHub, and I am ready to start making changes.

My idea is that SSL become transparent to filtering, so that any filter will be applied in HTTP and HTTPS as well.

To do that, I thought to implement a HttpConnectMITMHandler, that instead of just relay the content through socks, do the MITM stuff and let filters be applied normally.

The choice of using HttpConnectRelayingHandler or HttpConnectMITMHandler would be done through a flag in Proxy constructor.

This is just an arch thought, I don't have expertise in Netty to do all of that easily. What do you think about it?

[Caio Fernando Bertoldi Paes de Andrade]

Sorry for post two/three times in a row.

I hope that you don't think I am a flooder. x)

Studying better the code, I noticed that only changing Handler won't work.

What we need is implement a SSL MITM Proxy, that Adam already started developing but stopped and commented all the code.

This proxy will run on another port, and it will do two SSL handshaking, like a man-in-the-middle.

What we need to modify in HttpConnectRelayingHandler is the Channel that it will relay on. When the flag MITM is on, it should relay to SSL MITM Proxy.

I also noticed that Adam was using an example class for SSLEngine generation. I think we can start developing from here.

Thoughts?

[Adam Fisk]

Hi Caio and Danilo-

I agree this is certainly possible, although with the major caveat Danilo mentioned that browsers will give a warning about unexpected certs. So it depends on what you need it for. If users are going to be connecting through browsers, the browser warnings are a pretty significant issue. If they're not connecting through browsers, then you could be OK.

On a higher level, I actually think this is a tricky change. If, again, users are running through browsers, the browser will connect using HTTP CONNECT. If you want to MITM that case, you have to start parsing the HTTP CONNECT traffic, identifying the SSL handshake and responding appropriately with your own certs and such. That's a really tricky change, although theoretically certainly possible using Trustin's SSL encoding and decoding code for Netty.

Taking another step back, I'm likely going to add support in LittleProxy for DNS-SEC as well. That really moves in the other direction of making it impossible to provide fake certs, instead ultimately using certs provided in DNS itself. This is along the lines of why I originally started writing LittleProxy. It's a core component of the upcoming Lantern censorship circumvention tool (you can enter your e-mail at http://www.getlantern.org if you'd like to be notified when we release it), with the goal of making it useless for governments or anyone else to MITM citizens' traffic.

So I'm certainly not against your efforts, but it's a hard enough change and different enough from those original goals of LittleProxy that I don't think I can write much code for it. 

I'll definitely be curious to see what you come up with though. That initial code to support SSL in LittleProxy is really just there to use LittleProxy over HTTPS, so not running through HTTP CONNECT but SSL directly. Again, that may be what you need depending on your deployment scenario. There's some code in there to auto-generate self-signed certs as well using keytool.

Good luck!

-Adam