Bruce:

    You may want to look at Paros. Its an open source proxy where you can 
see the HTTPS traffic in plain text.

Best Regards.
Umesh.
----- Original Message ----- 
From: "Bruce Keats" <[EMAIL PROTECTED]>
To: <dev-tech-crypto@lists.mozilla.org>
Sent: Monday, December 10, 2007 9:28 PM
Subject: Re: Terminating SSL on the web proxy


>I was curious about the last scenario.
>
> 2. The Server Side Proxy (a.k.a., Reverse Proxy)
>
>              Public Internet           Intranet
>  [browser]---------------------[proxy]----------[server]
>                    SSL                   plain
>
> In this case, does the proxy have to convert the URIs from browser as well
> as terminate the SSL connection?  Specifically, does the proxy have to
> convert the URI from the browser by changing https:// to http:// to the
> server?  Does the proxy have to convert the URI from the server by 
> changing
> http:// to https:// when going in the reverse direction?
>
> Thanks,
> Bruce
>
> On Dec 7, 2007 6:35 PM, Nelson Bolyard <[EMAIL PROTECTED]>
> wrote:
>
>> Florian Weimer wrote, On 2007-12-07 02:54:
>> > Is it possible to configure NSS (or, more precisely, Firefox) to
>> > terminate SSL connections on the web proxy, so that the proxy receives
>> > requests in the clear (and handles the certificate verification)?
>>
>> I think, but am not certain, that you're describing something like this:
>>
>>             Intranet           public Internet
>>   [browser]----------[proxy]---------------------[server]
>>               plain                  SSL
>>
>> and you're asking if the browser can be configured so that when it
>> attempts to fetch an https URL, it does not use SSL itself, but sends
>> the request unencrypted as an http request to a proxy on the client's
>> side of the Internet, and SSL is used between the proxy and the server,
>> but not between the browser and the proxy.
>>
>> If that's what you're asking, the answer is: no.  The browser cannot be
>> configured to fetch an https URL without using SSL itself.
>>
>> You might be asking about either of these alternatives, both of which
>> assume that the browser is attempting to fetch an https URL:
>>
>> 1. The Man-In-The-Middle proxy
>>
>>             Intranet           public Internet
>>   [browser]----------[proxy]---------------------[server]
>>               SSL                    SSL
>>
>> In this picture, the browser is using SSL to talk to the proxy, and
>> the proxy is using SSL to talk to the server.  The SSL is not
>> "end to end".  The proxy decrypts everything coming in one side and
>> encrypts it before sending it outside the other.  This is called a
>> "Man In The Middle" (as I'm sure you know).  It is possible to
>> configure a browser to work with such a proxy, by configuring the
>> browser to accept certificates from a pseudo-CA that operates in the
>> proxy.  In the absence of such configuration, the browser should be able
>> to detect all attempts to do this, as being attacks on the secure
>> communications.  (I'm sure you know this.)
>>
>>
>> 2. The Server Side Proxy (a.k.a., Reverse Proxy)
>>
>>               Public Internet           Intranet
>>   [browser]---------------------[proxy]----------[server]
>>                     SSL                   plain
>>
>> Here the proxy acts as the server, as seen by the Internet.  The browser
>> connects to the proxy via https with SSL, and the proxy sends the
>> request on to the true "back end" server as an ordinary http request, in
>> plain text, unencrypted.  This sort of thing happens all the time, and
>> requires no special browser configuration.   The browser simply thinks
>> that the proxy is the server in the https URL, and contacts it normally
>> with SSL.
>>
>> If you're asking about something else, please explain.
>>
>> _______________________________________________
>> dev-tech-crypto mailing list
>> dev-tech-crypto@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-tech-crypto
>>
> _______________________________________________
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 

_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to