Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

Re: HTTP::Proxy SSL Man in the middle

by rowdog (Curate)
on Aug 19, 2010 at 14:03 UTC ( [id://856035]=note: print w/replies, xml ) Need Help??


in reply to HTTP::Proxy SSL Man in the middle

I believe you could do something like...

  • Generate a bogus CA.
  • Install CA root cert in kids' browser.
  • Have the proxy generate bogus certs and sign with your CA.
  • Hope the kids don't notice how slow SSL has become.

Replies are listed 'Best First'.
Re^2: HTTP::Proxy SSL Man in the middle
by morgon (Priest) on Aug 20, 2010 at 02:16 UTC
    Something like this is actually done in big institutions.

    Some year ago I did a project in a big bank in Switzerland.
    Pretty much everybody there was using the "official" Internet Explorer. The funny thing was that when you used Firefox you got warnings on ssl-secured sites that the certificate did not match the domain-name. In fact it turned out that their proxy just returned a self-signed certificate and the "official" Internet Explorer had been modified so that it would silently accept this certificate.

    So in effect they had a man-in-the-middle with hardly anybody noticing it.

    So if you want to do it yourself the important thing is that you must be able to control the browser (and I assume that if you can force your users to use IE you're already halfway there).

    And as an aside: Never trust the browsers that are rolled out by the IT-departments of big organisations.

[reply]
Re^2: HTTP::Proxy SSL Man in the middle
by locked0wn (Acolyte) on Aug 19, 2010 at 14:17 UTC
    Thanks for the responses. Not looking to break SSL security for NSA's sake. Funny though.

    I intend to generate bogus CA, install into kids browser, etc, etc...

    My main question has to do with the "Perl" side of this, and whether or not HTTP::Proxy can be used as the proxy for this need? I want to know if anyone knows if it will support SSL? If not, is there another module someone recommends for this?

    Thank you again for your help in advance
[reply]

      I haven't ever written anything with HTTP::Proxy but it looks very flexible so you might be able to convince it to work with SSL. On the other hand, HTTP::Proxy isn't really designed for MITM attacks so it'll want to add the proper headers and such.

      One way to do this would be to use POE. You can do something based on the Cookbook example of a simple Web Proxy.

[reply]
        I don't know about SSL, but HTTP::Proxy lends itself very nicely for monitoring/modifying things by being man-in-the-middle. I use it to allow special commands to be run by the proxy when a user requests specific URLs. I created a filter that monitors URLs, and breaks them apart. I can use this filter to modify what someone is asking for, change what is fed back to a user, and if I need the system to take an action and create a complete HTML page on the fly. Again, I do all of this with HTTP, not SSL. I don't know if HTTP::Proxy supports SSL, never tried it. Anyone try to get SSL to work with HTTP::Proxy? Good question.
[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://856035]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others scrutinizing the Monastery: (3)
As of 2024-04-26 02:36 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found