Help recreating bug report in proxy library
Elazar Leibovich
elazarl at gmail.com
Fri Aug 2 15:23:49 IDT 2013
Oh, and before anyone ask, certificate pinning is probably irrelevant for
user added certificates
https://www.imperialviolet.org/2011/05/04/pinning.html
*What about MITM proxies, Fiddler etc?*
There are a number of cases where HTTPS connections are intercepted by
using local, ephemeral certificates. These certificates are signed by a
root certificate that has to be manually installed on the client. Corporate
MITM proxies may do this, several anti-virus/parental control products do
this and debugging tools like Fiddler can also do this. Since we cannot
break in these situations, user installed root CAs are given the authority
to override pins. We don't believe that there will be any incompatibility
issues.
On Fri, Aug 2, 2013 at 3:17 PM, Elazar Leibovich <elazarl at gmail.com> wrote:
> Hi,
>
> I'm maintaining a small HTTP proxy library that allows you to eavesdrop
> HTTP requests. Someone reported a bug which I cannot recreate, so I'm
> trying my luck here. [repost from golang-nuts, where I didn't get an
> answer].
>
> It seems to work on my machine, but a user still complain.
> https://github.com/elazarl/goproxy/issues/15
>
> I could use two forms of help:
>
> 1) Test it on your environment and report the results.
>
> $ mkdir ~/gopath2
> $ GOPATH=~/gopath2 go get github.com/elazarl/goproxy/examples/eavesdropper
> $ # add ~/gopath2/src/github.com/elazarl/goproxy/ca.cert as a root CA to
> your browser
> $ ~/gopath2/bin/eavesdropper
> # use HTTP proxy at localhost:8080, browse to a https site, and see if you
> get warnings
>
> 2) Generally speaking, I don't really know too much cryptography in
> general, or TLS/SSL in particular. If you do, have a look at the code and
> explain my mistakes.
> Most of the logic is here:
> https://github.com/elazarl/goproxy/blob/master/signer.go
>
> The way it does that is:
> 1) goproxy have a builtin CA certificate, hard coded into a variable. It's
> generated with http://golang.org/src/pkg/crypto/tls/generate_cert.go
> 2) Given a CONNECT foo.com:443 proxy request, it would:
> 3) Generate a certificate for foo.com and sign it with the builtin CA,
> 4) Submit this certificate with the certificate chain: [new_cert, CA],
> using crypto/tls package.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20130802/ae49858d/attachment.html>
More information about the Linux-il
mailing list