On 2021-05-21, Martin <martin...@protonmail.com> wrote:
> Hi,
> MITM is an ancient attack technique and it is not a good idea because it 
> breaks original cert chain. So client (application) will see that cert is 
> different on its end. Most people and apps reject connection to a resource 
> with fake cert which you're going to send to them.

This is about providing monitored/filtered internet access to systems
that are particularly configured to use it. The way this works is that
you install the MITM-signing certificate on the machines accessing the
web via that proxy. Typically in that case browsers automatically
disable certificate pinning if the cert is signed by a locally
administered CA.

> But you can use Squid for MITM as Stuart recommended, from my side
> HaProxy/Nginx can help you too to do this. For SNI Snort/Suricata can be
> useful but for TLS up to v1.2 only.
> Sniffing the traffic that way is a bad idea, most of services uses
> TLSv1.3 with encrypted SNI. So your work will disappear in months.

There aren't many services which require TLSv1.3 with encrypted SNI
yet, so the interception proxy can restrict to TLS 1.2 to bypass this.

Reply via email to