TLS/SSL (The S in HTTPS) guarantees that there are no eavesdroppers between you and the server you are contacting, i.e. no proxies. Normally, you use CONNECT to open up a TCP connection through the proxy. In this case, the proxy will not be able to cache, read, or modify any requests/responses, and therefore be rather useless.
If you want the proxy to be able to read information, you can take the following approach:
- Client starts HTTPS session
- Proxy transparently intercepts the connection and
returns an ad-hoc generated(possibly
weak) certificate Ka,
signed by a certificate authority
that is unconditionally trusted by
the client.
- Proxy starts HTTPS session to target
- Proxy verifies integrity of SSL
certificate; displays error if the
cert is not valid.
- Proxy streams content, decrypts it
and re-encrypts it with
Ka
- Client displays stuff
An example is Squid's SSL bump. Similarly, burp can be configured to do this. This has also been used in a less-benign context by an Egyptian ISP.
Note that modern websites and browsers can employ HPKP or built-in certificate pins which defeat this approach.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
