<div dir="ltr">Oh, and before anyone ask, certificate pinning is probably irrelevant for user added certificates <a href="https://www.imperialviolet.org/2011/05/04/pinning.html">https://www.imperialviolet.org/2011/05/04/pinning.html</a><br>
<br><div><b>What about MITM proxies, Fiddler etc?</b><br><br>There are a number of cases where HTTPS connections are intercepted by using local, ephemeral certificates. These certificates are signed by a root certificate that has to be manually installed on the client. Corporate MITM proxies may do this, several anti-virus/parental control products do this and debugging tools like Fiddler can also do this. Since we cannot break in these situations, user installed root CAs are given the authority to override pins. We don't believe that there will be any incompatibility issues.</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Aug 2, 2013 at 3:17 PM, Elazar Leibovich <span dir="ltr"><<a href="mailto:elazarl@gmail.com" target="_blank">elazarl@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>I'm maintaining a small HTTP proxy library that allows you to eavesdrop HTTP requests. Someone reported a bug which I cannot recreate, so I'm trying my luck here. [repost from golang-nuts, where I didn't get an answer].</div>
<div><br></div><div><div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif">It seems to work on my machine, but a user still complain. <a href="https://github.com/elazarl/goproxy/issues/15" style="color:rgb(102,17,204);margin:0px;padding:0px;border:0px;vertical-align:baseline;text-decoration:none" target="_blank">https://github.com/elazarl/goproxy/issues/15</a></div>
<div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif"><br></div><div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif">
I could use two forms of help:</div><div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif"><br></div><div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif">
1) Test it on your environment and report the results.</div><div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif"><br></div><div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif">
$ mkdir ~/gopath2</div><div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif">$ GOPATH=~/gopath2 go get <a href="http://github.com/elazarl/goproxy/examples/eavesdropper" target="_blank">github.com/elazarl/goproxy/examples/eavesdropper</a></div>
<div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif">$ # add ~/gopath2/src/<a href="http://github.com/elazarl/goproxy/ca.cert" target="_blank">github.com/elazarl/goproxy/ca.cert</a> as a root CA to your browser</div>
<div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif">$ ~/gopath2/bin/eavesdropper</div><div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif">
# use HTTP proxy at localhost:8080, browse to a https site, and see if you get warnings</div><div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif"><br>
</div><div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif">
2) Generally speaking, I don't really know too much cryptography in general, or TLS/SSL in particular. If you do, have a look at the code and explain my mistakes.</div><div style="font-size:13px;margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif">
Most of the logic is here: <a href="https://github.com/elazarl/goproxy/blob/master/signer.go" style="color:rgb(102,17,204);margin:0px;padding:0px;border:0px;vertical-align:baseline;text-decoration:none" target="_blank">https://github.com/elazarl/goproxy/blob/master/signer.go</a></div>
</div><div><div style="margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif;font-size:13px"><br></div><div style="margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif;font-size:13px">
The way it does that is:</div><div style="margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif;font-size:13px">1) goproxy have a builtin CA certificate, hard coded into a variable. It's generated with <a href="http://golang.org/src/pkg/crypto/tls/generate_cert.go" style="margin:0px;padding:0px;border:0px;vertical-align:baseline;text-decoration:none;color:rgb(102,17,204)" target="_blank">http://golang.org/src/pkg/crypto/tls/generate_cert.go</a></div>
<div style="margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif;font-size:13px">2) Given a CONNECT <a href="http://foo.com:443/" style="margin:0px;padding:0px;border:0px;vertical-align:baseline;text-decoration:none;color:rgb(102,17,204)" target="_blank">foo.com:443</a> proxy request, it would:</div>
<div style="margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif;font-size:13px">3) Generate a certificate for <a href="http://foo.com/" style="margin:0px;padding:0px;border:0px;vertical-align:baseline;text-decoration:none;color:rgb(102,17,204)" target="_blank">foo.com</a> and sign it with the builtin CA,</div>
<div style="margin:0px;padding:0px;border:0px;vertical-align:baseline;font-family:Arial,Helvetica,sans-serif;font-size:13px">4) Submit this certificate with the certificate chain: [new_cert, CA], using crypto/tls package.</div>
</div></div>
</blockquote></div><br></div>