> OMG... I now know, or think I know, what you are talking about, and I am an > idiot for not realizing it sooner. (should have realized it when you said > "end point") > > The client exchanges keys and requests, while the proxy pretends to be the > server in question, and the proxy pretends to be the client sending and > receiving data to and from the real server; thus, enabling the man in the > middle attack.
Well, in your case, the client wouldn't have to use keys at all - it could talk to the proxy via HTTP. The proxy could, in turn, talk to the target server via HTTPS. This isn't really a MITM thing, when you do it like this. > Only one question remains... what if the server and client will only accept > the use of known certificates? Normally, in a true MITM situation, that would be a problem. In this case, it won't be a problem, as the server will present its certificate to the proxy, the proxy will accept it, and that will be that. If you're also using client certificates, that complicates things a bit, but based on your previous emails it's not clear whether that's the case - and with both the proxy and the client certificate installed on the same machine it still shouldn't be a problem, although I haven't tried using client certificates with Paros Proxy specifically. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! _______________________________________________ Flashcoders mailing list [email protected] http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
