I actually figured out what was necessary a few hours back, and thanks
for your comments. I felt like I was slapped in the head for not seeing
the obvious.
In my mind it is a man in the middle, because the proxy is simulating
the server in one direction and the client in the other; however, I get
what you are saying, considering I control how the client attempts its
connection.
Dave Watts wrote:
OMG... I now know, or think I know, what you are talking about, and I am an
idiot for not realizing it sooner. (should have realized it when you said
"end point")
The client exchanges keys and requests, while the proxy pretends to be the
server in question, and the proxy pretends to be the client sending and
receiving data to and from the real server; thus, enabling the man in the
middle attack.
Well, in your case, the client wouldn't have to use keys at all - it
could talk to the proxy via HTTP. The proxy could, in turn, talk to
the target server via HTTPS. This isn't really a MITM thing, when you
do it like this.
Only one question remains... what if the server and client will only accept
the use of known certificates?
Normally, in a true MITM situation, that would be a problem. In this
case, it won't be a problem, as the server will present its
certificate to the proxy, the proxy will accept it, and that will be
that. If you're also using client certificates, that complicates
things a bit, but based on your previous emails it's not clear whether
that's the case - and with both the proxy and the client certificate
installed on the same machine it still shouldn't be a problem,
although I haven't tried using client certificates with Paros Proxy
specifically.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
_______________________________________________
Flashcoders mailing list
[email protected]
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
_______________________________________________
Flashcoders mailing list
[email protected]
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
