Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic
 
PerlMonks  

HTTP::Proxy SSL Man in the middle

by locked0wn (Acolyte)
on Aug 18, 2010 at 19:25 UTC ( #855889=perlquestion: print w/replies, xml ) Need Help??
locked0wn has asked for the wisdom of the Perl Monks concerning the following question:

Hello monks,

I have always wanted to setup an SSL man-in-the-middle Proxy to help monitor what kids are doing online. Can anyone tell me if there is a way to use HTTP::Proxy in this manner?

I am trying to meet my own requirements as such:
  • Instead of forwarding encrypted data between the two hosts, proxy will set up two DIFFERENT SSL connections between the two.
  • Proxy<->Remote Server Sets up a normal SSL client connection to requested remote site
  • Proxy<->Browser Sets up a SSL server connection to the browser, using its own certificate, generated as a copy of the remote hostís cert

If the browser accepts this fake cert, the proxy has access to the data in the clear!

Basically, this will allow me to write perl regex scripts to see if my kids are violating family use of the Internet. They already know the house rule is to monitor all outgoing traffic. At the moment, I monitor HTTP, but want a proxy for SSL, too.

Thank you very much in advance for your help.

Replies are listed 'Best First'.
Re: HTTP::Proxy SSL Man in the middle
by bluescreen (Friar) on Aug 19, 2010 at 00:35 UTC

    This is probably OT, but SSL is meant to be so Man in the middle attacks cannot happen, only the two endpoints know how to decrypt messages they send to each other. You could create rules in each computer to redirect all SSL messages to a proxy and do what you say but your kid's browser will warn he/she as the certificate would be self signed instead of the appropriate cert.

    I would tackle your problem in a different way, why don't set up an regular HTTP proxy ( such as Squid ) and block your internet connection and make every computer in your home use that proxy? With that setup you would be able to monitor all kind of activity and even block sites with unappropriated content

    Since all traffic pass through one box you can also use other tools ( iptables, scripts ) to enforce your internet policy such as an script that shuts down squid at the afternoon/night when they have to do assignments. Out of the box Squid has many features and it might have whay you're looking for.

    ------------ | Internet | ------------ | --------- | Proxy | --------- | --------------+--------------- | | | --------- --------- --------- | PC #1 | | PC #2 | ... | PC #N | --------- --------- ---------
Re: HTTP::Proxy SSL Man in the middle
by zentara (Archbishop) on Aug 19, 2010 at 12:45 UTC
    If you figure it out, you can sell it to the NSA. :-)

    I'm not really a human, but I play one on earth.
    Old Perl Programmer Haiku
Re: HTTP::Proxy SSL Man in the middle
by rowdog (Curate) on Aug 19, 2010 at 14:03 UTC

    I believe you could do something like...

    • Generate a bogus CA.
    • Install CA root cert in kids' browser.
    • Have the proxy generate bogus certs and sign with your CA.
    • Hope the kids don't notice how slow SSL has become.
      Something like this is actually done in big institutions.

      Some year ago I did a project in a big bank in Switzerland.
      Pretty much everybody there was using the "official" Internet Explorer. The funny thing was that when you used Firefox you got warnings on ssl-secured sites that the certificate did not match the domain-name. In fact it turned out that their proxy just returned a self-signed certificate and the "official" Internet Explorer had been modified so that it would silently accept this certificate.

      So in effect they had a man-in-the-middle with hardly anybody noticing it.

      So if you want to do it yourself the important thing is that you must be able to control the browser (and I assume that if you can force your users to use IE you're already halfway there).

      And as an aside: Never trust the browsers that are rolled out by the IT-departments of big organisations.

      Thanks for the responses. Not looking to break SSL security for NSA's sake. Funny though.

      I intend to generate bogus CA, install into kids browser, etc, etc...

      My main question has to do with the "Perl" side of this, and whether or not HTTP::Proxy can be used as the proxy for this need? I want to know if anyone knows if it will support SSL? If not, is there another module someone recommends for this?

      Thank you again for your help in advance

        I haven't ever written anything with HTTP::Proxy but it looks very flexible so you might be able to convince it to work with SSL. On the other hand, HTTP::Proxy isn't really designed for MITM attacks so it'll want to add the proper headers and such.

        One way to do this would be to use POE. You can do something based on the Cookbook example of a simple Web Proxy.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://855889]
Approved by Corion
help
Chatterbox?
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others wandering the Monastery: (6)
As of 2018-02-23 09:34 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    When it is dark outside I am happiest to see ...














    Results (301 votes). Check out past polls.

    Notices?