https proxy

Paul Rubin http
Wed Jul 28 00:04:39 CEST 2004


"Paul Sweeney" <reverse.ku.oc.issolok at nothypgnal.delrest.co.uk> writes:
> I wish to access an https:// site using my browser and click around
> it.  I wish to see the http(s) GET urls and http(s) POST urls and
> data which are being sent to the https server.  If the site were an
> http:// site I would use a tool like ethereal to see what was going
> on, but this data is sent encrypted from the browser due to the
> https connection, so I'll just see the encrypted data. So I need a
> tool to view the unencrypted form of the data which is being sent
> encrypted (sorry for being unclear about the "unecrypted data" in my
> last post, I hope this is better).

You could do that but I don't know of already-existing Python code
that does it.  Basically it would be a man-in-the-middle attack against
the browser/server pair:

  browser---(SSL)---proxy---(SSL)---server

There'd be two separate SSL sessions and the proxy would of course
have to present its own server certificate to the browser, which you'd
configure the browser to accept.  The server application could take
various measures to detect this subterfuge and stop it from happening,
but I doubt any normal server apps actually bother to do that.  It's
not a true security break, since the browser user has to accept the
proxy certificate, thereby giving "permission" for the interception.



More information about the Python-list mailing list