https proxy

John Hazen john at hazen.net
Wed Jul 28 04:25:27 CEST 2004


* Peter Hansen <peter at engcorp.com> [2004-07-27 13:55]:
> Paul Sweeney wrote:
> 
> >I wish to access an https:// site using my browser and click around it.  I
> >wish to see the http(s) GET urls and http(s) POST urls and data which are
> >being sent to the https server.  If the site were an http:// site I would
> >use a tool like ethereal to see what was going on, but this data is sent
> >encrypted from the browser due to the https connection, so I'll just see 
> >the
> >encrypted data. So I need a tool to view the unencrypted form of the data
> >which is being sent encrypted (sorry for being unclear about the 
> >"unecrypted
> >data" in my last post, I hope this is better).
> 
> Based on what you say here, I think the answer is back to being
> "impossible".  The encryption is going on in the browser.  If
> the browser thinks it's talking HTTPS, then it will encrypt
> stuff and talk HTTPS.  Nothing between the browser end of the
> socket and the server end of the socket will be able to
> decrypt it.

Although, if this is just for testing, I think you could trick the
browser by running a proxy on a different machine that accepts an HTTPS
connection, and creates another HTTPS connection with the destination
server.  Then run your own DNS server that hands back bogus answers to
every request resolving to the proxy's IP address.

The browser will talk HTTPS to the proxy, thinking it's talking to the
target server.  Of course, this will trigger the "certificate doesn't
match IP address" type of warning, but I think most browsers will let
you continue after warning you.  (If not, you could probably still get
around it with the gross hack of having the DNS server communicate with
the proxy, so the proxy could generate on the fly a certificate for the
server name that the browser is trying to reach.  This would get you the
"certificate can't be verified" type of error, which is definitely one
that you can continue after acknowledging.)

So, if it's just for testing and research, that might work.  Obviously,
it's not a viable setup if you're trying to use it to snoop on the
conversations of unsuspecting users (which I'm not accusing you of, but
it's a much harder problem).

-John



More information about the Python-list mailing list