On 2021-05-21, Martin <martin...@protonmail.com> wrote: > Hi, > > MITM is an ancient attack technique and it is not a good idea because it > breaks original cert chain. So client (application) will see that cert is > different on its end. Most people and apps reject connection to a resource > with fake cert which you're going to send to them.
This is about providing monitored/filtered internet access to systems that are particularly configured to use it. The way this works is that you install the MITM-signing certificate on the machines accessing the web via that proxy. Typically in that case browsers automatically disable certificate pinning if the cert is signed by a locally administered CA. > But you can use Squid for MITM as Stuart recommended, from my side > HaProxy/Nginx can help you too to do this. For SNI Snort/Suricata can be > useful but for TLS up to v1.2 only. > > Sniffing the traffic that way is a bad idea, most of services uses > TLSv1.3 with encrypted SNI. So your work will disappear in months. There aren't many services which require TLSv1.3 with encrypted SNI yet, so the interception proxy can restrict to TLS 1.2 to bypass this.