Web Proxy Client with HTTPS

17/09/2007, 18h48

Hello,

I've been asked if my application can be used over a
Proxy Client. A quick study seems to imply that this
could allow a man-in-the-middle attack by the Proxy
Service. Is that correct? I presume the customer
wants to legitamately monitor activity. I use a
secure web (HTTPS) connection to talk with my
secure servers.

David

19/09/2007, 03h32

On Sep 18, 1:48 am, "Eagle" <FlyLikeAnEa...@United.Com> wrote:
> Hello,
>
> I've been asked if my application can be used over a
> Proxy Client. A quick study seems to imply that this
> could allow a man-in-the-middle attack by the Proxy
> Service. Is that correct? I presume the customer
> wants to legitamately monitor activity. I use a
> secure web (HTTPS) connection to talk with my
> secure servers.
>

HTTPS should prevent man in the middle attack. Unlike HTTP, HTTPS
connections are handled via the CONNECT method which simply relays
binary data between the client and server. In theory the proxy server
can fake the CONNECT and do a man in the middle attack (indeed there
are products out there that have this as a "feature") but doing so
will result in a certificate error. Just tell your customer to never
ignore certificate errors. Another safety precaution is to tell your
customer to accept your certificate *permanently* the first time he
connects. That way the client software can detect certificate changes
better -- if a window even pops up then he should be suspicious even
if its not an error window.

19/09/2007, 04h24

Thank you. I was wondering how a proxy could exist in-stream
and not behave as a man-in-the-middle. I believe that fits
well -- we keep secure conversations and they get to insure
we only contact the stated secure web sites. BTW, my client
application won't talk unless the certificates are recognized.

David

17/09/2007, 18h48	#1
Eagle Messages: n/a Hébergeur:	Web Proxy Client with HTTPS Hello, I've been asked if my application can be used over a Proxy Client. A quick study seems to imply that this could allow a man-in-the-middle attack by the Proxy Service. Is that correct? I presume the customer wants to legitamately monitor activity. I use a secure web (HTTPS) connection to talk with my secure servers. David

19/09/2007, 03h32	#2
slebetman@yahoo.com Messages: n/a Hébergeur:	Re: Web Proxy Client with HTTPS On Sep 18, 1:48 am, "Eagle" <FlyLikeAnEa...@United.Com> wrote: > Hello, > > I've been asked if my application can be used over a > Proxy Client. A quick study seems to imply that this > could allow a man-in-the-middle attack by the Proxy > Service. Is that correct? I presume the customer > wants to legitamately monitor activity. I use a > secure web (HTTPS) connection to talk with my > secure servers. > HTTPS should prevent man in the middle attack. Unlike HTTP, HTTPS connections are handled via the CONNECT method which simply relays binary data between the client and server. In theory the proxy server can fake the CONNECT and do a man in the middle attack (indeed there are products out there that have this as a "feature") but doing so will result in a certificate error. Just tell your customer to never ignore certificate errors. Another safety precaution is to tell your customer to accept your certificate permanently the first time he connects. That way the client software can detect certificate changes better -- if a window even pops up then he should be suspicious even if its not an error window.

19/09/2007, 04h24	#3
Eagle Messages: n/a Hébergeur:	Re: Web Proxy Client with HTTPS Thank you. I was wondering how a proxy could exist in-stream and not behave as a man-in-the-middle. I believe that fits well -- we keep secure conversations and they get to insure we only contact the stated secure web sites. BTW, my client application won't talk unless the certificates are recognized. David

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email