Does anyone know of a working (python) https proxy which allows viewing of
unencrypted data being sent from my browser to an https site?
I've worked my way through most on the list at http://xhaus.com/alan/python/proxies.html, but while many claim to support
https, if you actually point your browser at the proxies, they work fine for
http, but not for https pages.
TIA
Paul Sweeney 16  60615 
Paul Sweeney wrote: Does anyone know of a working (python) https proxy which allows viewing of
unencrypted data being sent from my browser to an https site?
hmm, I thought the _purpose_ of using https was to make it relatively
impossible to view the unencrypted data being the "man in the middle"..
Simon Dahlbacka wrote: hmm, I thought the _purpose_ of using https was to make it relatively
impossible to view the unencrypted data being the "man in the middle"..
It's certainly not impossible, there are tools like Paros for java which do
the job, the browser sets up an http connection with the proxy (using the
proxy's built in certificate), and the proxy then sets up an https
connection with the destination server, but the data is unencrypted in the
proxy before being re-encrypted to send to the destination server.
What is (virtually) impossible is to intercept and do a "man in the middle"
attack on an existing connect. I don't want to intercept stuff on the net,
just see what the browser on my machine is sending/receiving
HTH :-)
Paul Sweeney wrote: Simon Dahlbacka wrote:
hmm, I thought the _purpose_ of using https was to make it relatively
impossible to view the unencrypted data being the "man in the middle"..
It's certainly not impossible, there are tools like Paros for java which do
the job, the browser sets up an http connection with the proxy (using the
proxy's built in certificate), and the proxy then sets up an https
connection with the destination server, but the data is unencrypted in the
proxy before being re-encrypted to send to the destination server.
What is (virtually) impossible is to intercept and do a "man in the middle"
attack on an existing connect. I don't want to intercept stuff on the net,
just see what the browser on my machine is sending/receiving
It sounds like you want either to see the raw data stream (the
encrypted stuff), or you want to see the unencrypted data that
the browser would be sending if it weren't using https. It's
still unclear. If the latter, why not use Paros, since you seem
to know about it and how it works?
(The reason your request is unclear is because your first message
talks about seeing the "unencrypte d data being sent from [your]
browser to an https site" and yet obviously, as you know, there
is no unencrypted data going to the https site... But since you
certainly know this, it makes it unclear just which you are
requesting.)
-Peter
Peter Hansen wrote: Paul Sweeney wrote: Simon Dahlbacka wrote:
hmm, I thought the _purpose_ of using https was to make it relatively
impossible to view the unencrypted data being the "man in the middle"..
It's certainly not impossible, there are tools like Paros for java which
do the job, the browser sets up an http connection with the proxy (using
the proxy's built in certificate), and the proxy then sets up an https
connection with the destination server, but the data is unencrypted in
the proxy before being re-encrypted to send to the destination server.
What is (virtually) impossible is to intercept and do a "man in the
middle" attack on an existing connect. I don't want to intercept stuff on the
net, just see what the browser on my machine is sending/receiving
It sounds like you want either to see the raw data stream (the
encrypted stuff), or you want to see the unencrypted data that
the browser would be sending if it weren't using https. It's
still unclear. If the latter, why not use Paros, since you seem
to know about it and how it works?
(The reason your request is unclear is because your first message
talks about seeing the "unencrypte d data being sent from [your]
browser to an https site" and yet obviously, as you know, there
is no unencrypted data going to the https site... But since you
certainly know this, it makes it unclear just which you are
requesting.)
-Peter
Ok, apologies, let me try to explain it more clearly.
I wish to access an https:// site using my browser and click around it. I
wish to see the http(s) GET urls and http(s) POST urls and data which are
being sent to the https server. If the site were an http:// site I would
use a tool like ethereal to see what was going on, but this data is sent
encrypted from the browser due to the https connection, so I'll just see the
encrypted data. So I need a tool to view the unencrypted form of the data
which is being sent encrypted (sorry for being unclear about the "unecrypted
data" in my last post, I hope this is better).
I have and could use a tool like Paros, but it is java and (need I say
more?):
a) I love Python (:-D) ...
b) ... seriously, I'd like to be able to play with the source code to record
the gets and posts for later replay in a python based retriever tool.
Thanks for your interest in this thread.
Paul Sweeney
Paul Sweeney wrote: I wish to access an https:// site using my browser and click around it. I
wish to see the http(s) GET urls and http(s) POST urls and data which are
being sent to the https server. If the site were an http:// site I would
use a tool like ethereal to see what was going on, but this data is sent
encrypted from the browser due to the https connection, so I'll just see the
encrypted data. So I need a tool to view the unencrypted form of the data
which is being sent encrypted (sorry for being unclear about the "unecrypted
data" in my last post, I hope this is better).
Based on what you say here, I think the answer is back to being
"impossible ". The encryption is going on in the browser. If
the browser thinks it's talking HTTPS, then it will encrypt
stuff and talk HTTPS. Nothing between the browser end of the
socket and the server end of the socket will be able to
decrypt it.
If you had a proxy that used its own certificate and established
an https connection when the client tried to connect with http
to something, then you could at least start the whole thing off
without encrypted data on the browser side. As soon as you tried
to click on an embedded https link, however, the browser would
try to establish an encrypted link, and the proxy wouldn't work
any more.
What about just writing a tool using urllib2 and basically
simulating the browser activity in Python? Then you can
bypass the whole issue, and have programmatic access to the
unencrypted data before or after it hits the encrypted socket
(depending on the direction of travel).
I have and could use a tool like Paros, but it is java and (need I say
more?):
a) I love Python (:-D) ...
b) ... seriously, I'd like to be able to play with the source code to record
the gets and posts for later replay in a python based retriever tool.
I love Python too, but that doesn't stop me from using a more
effective tool when the need arises. Surely something like Paros,
if it can do what you need (and I don't see how it can), also
has the ability to save the data to a file for later perusal,
even if the utility for retrieving it were in Python.
-Peter
In article <ce**********@t itan.btinternet .com>, Paul Sweeney
<URL:mailto:re* *************** ***@nothypgnal. delrest.co.uk> wrote: Does anyone know of a working (python) https proxy which allows viewing of
unencrypted data being sent from my browser to an https site?
I've worked my way through most on the list at
http://xhaus.com/alan/python/proxies.html, but while many claim to support
https, if you actually point your browser at the proxies, they work fine for
http, but not for https pages.
I wrote a http proxy server some time ago to use Netscape/Firefox for
homebanking through the modem connection of my RISC OS computer (I don't
like connecting my Windows PC to the internet....).
I don't think a simple proxy server will help you at all as it just waits
for the browser connecting, receives a "CONNECT ..." request, builds the
requested connection and then just passes on the data between the browser
and the website until the connection is closed from either side ...
Anyway it's available from my homepage; it's in the RISC OS additions
archive - the name is SSLRelay.
Regards,
Dietmar
"Paul Sweeney" <re************ *******@nothypg nal.delrest.co. uk> writes: I wish to access an https:// site using my browser and click around
it. I wish to see the http(s) GET urls and http(s) POST urls and
data which are being sent to the https server. If the site were an
http:// site I would use a tool like ethereal to see what was going
on, but this data is sent encrypted from the browser due to the
https connection, so I'll just see the encrypted data. So I need a
tool to view the unencrypted form of the data which is being sent
encrypted (sorry for being unclear about the "unecrypted data" in my
last post, I hope this is better).
You could do that but I don't know of already-existing Python code
that does it. Basically it would be a man-in-the-middle attack against
the browser/server pair:
browser---(SSL)---proxy---(SSL)---server
There'd be two separate SSL sessions and the proxy would of course
have to present its own server certificate to the browser, which you'd
configure the browser to accept. The server application could take
various measures to detect this subterfuge and stop it from happening,
but I doubt any normal server apps actually bother to do that. It's
not a true security break, since the browser user has to accept the
proxy certificate, thereby giving "permission " for the interception.
* Peter Hansen <pe***@engcorp. com> [2004-07-27 13:55]: Paul Sweeney wrote:
I wish to access an https:// site using my browser and click around it. I
wish to see the http(s) GET urls and http(s) POST urls and data which are
being sent to the https server. If the site were an http:// site I would
use a tool like ethereal to see what was going on, but this data is sent
encrypted from the browser due to the https connection, so I'll just see
the
encrypted data. So I need a tool to view the unencrypted form of the data
which is being sent encrypted (sorry for being unclear about the
"unecrypted
data" in my last post, I hope this is better).
Based on what you say here, I think the answer is back to being
"impossible ". The encryption is going on in the browser. If
the browser thinks it's talking HTTPS, then it will encrypt
stuff and talk HTTPS. Nothing between the browser end of the
socket and the server end of the socket will be able to
decrypt it.
Although, if this is just for testing, I think you could trick the
browser by running a proxy on a different machine that accepts an HTTPS
connection, and creates another HTTPS connection with the destination
server. Then run your own DNS server that hands back bogus answers to
every request resolving to the proxy's IP address.
The browser will talk HTTPS to the proxy, thinking it's talking to the
target server. Of course, this will trigger the "certificat e doesn't
match IP address" type of warning, but I think most browsers will let
you continue after warning you. (If not, you could probably still get
around it with the gross hack of having the DNS server communicate with
the proxy, so the proxy could generate on the fly a certificate for the
server name that the browser is trying to reach. This would get you the
"certificat e can't be verified" type of error, which is definitely one
that you can continue after acknowledging.)
So, if it's just for testing and research, that might work. Obviously,
it's not a viable setup if you're trying to use it to snoop on the
conversations of unsuspecting users (which I'm not accusing you of, but
it's a much harder problem).
-John jo**@hazen.net (John Hazen) writes: Although, if this is just for testing, I think you could trick the
browser by running a proxy on a different machine that accepts an HTTPS
connection, and creates another HTTPS connection with the destination
server. Then run your own DNS server that hands back bogus answers to
every request resolving to the proxy's IP address.
You can use /etc/hosts for that. No need for running your own DNS.
But why bother? Just configure the browser send requests through the
proxy.
The browser will talk HTTPS to the proxy, thinking it's talking to the
target server. Of course, this will trigger the "certificat e doesn't
match IP address" type of warning, but I think most browsers will let
you continue after warning you.
Yes, or you can generate a cert with the right hostname in it, and
install it in the browser as a trusted cert.
To the OP, are you trying to debug a server-side app? If you're not
trying to send actual confidential data through the SSL connection and
if you can configure the server, it's probably simplest to just open a
non-SSL port, unless you're trying to debug something SSL-specific. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: b_prikls |
last post by:
Hi all,
i need your help, here is code, that makes http connection to a
website throu
a proxy server, and it works fine:
==========================================
$proxy = "111.111.111.111";
$port = "8080";
$url = "http://www.myhost.com/folder/script.dll?variable=hello";
|
by: Robert |
last post by:
did you solve this problem? It seems to be still present here with
py2.3.5.
Robert
--
From: Manish Jethani <manish.j@gmx.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6b)
Gecko/20031205 Thunderbird/0.4
X-Accept-Language: en-us, en
|
by: Bloke |
last post by:
Hi all.
Some time ago (years) I had a script on Python 2.2 that would retieve a
HTTPS web site. I used python22-win32-ssl.zip to handle the SSL aspect
and it worked wonderfully. I am revisiting the project and need to
update it to Python 2.4.1. python22-win32-ssl.zip isn't compatable
(duh) and I can't find a newer version. I have had a search and can't
find anything to point me in the right direction.
Can someone please help?
|
by: MarkAurit |
last post by:
I have a web service Im using on a machine via http in a dmz that works file.
Im now attempting to use it in a second server, this one using https.
When I attempt to add the Web Reference in vs.net 1.1, I get the following
message:
*****************************************
There was an error downloading 'https://<dns
name>/ScheduledJobs.asmx?op=GetMetrics'.
The underlying connection was closed: Unable to connect to the remote server.
|
by: Astan Chee |
last post by:
Hi again,
According to
https://demo.launchpad.net/products/python/+bug/56872
or more specifically, the example of its working code:
http://librarian.demo.launchpad.net/3507227/urllib2_proxy_auth.py
I can use urllib2 via proxy to access a https site(specifically hooking
it up to libgmail).
The problem is that the proxy that is accessible to me is http/port8080
only. Is it possible to use urllib2 with this proxy to access a https
site?...
| | |
by: NoaGross |
last post by:
Hi,
I'm relly new in java and I have a problem.
I'm using java applet.
When using http all ok, but when trying to use https i get:
Java Plug-in 1.5.0_10
Using JRE version 1.5.0_10 Java HotSpot(TM) Client VM
User home directory = C:\Documents and Settings\noa
----------------------------------------------------
c: clear console window
|
by: pac1250 |
last post by:
Hi,
I am searching how to solve a problem and I dont find it :(
I want to access a page from a script behind a proxy :
(my script) <-(a proxy with authentification) <-(https serveur
with authentification)
-----------------------------------------------------------------
|
by: =?Utf-8?B?TGVuc3Rlcg==?= |
last post by:
A C# (.NET 2) application which uses the System.Net.HttpWebRequest object to
request a resource over HTTPS is failing following the installation of a new
proxy server on our internal network with 407 Proxy Authentication Required.
The same request through the old proxy succeeds.
The same request to an HTTP address through the new proxy succeeds.
Also, the request succeeds when forced to use Basic authentication but fails
on NTLM.
|
by: Gustavo Rahal |
last post by:
Hi
I'm trying to build a xmlrpc client that uses a proxy to connect to
a xmlrpc server in https.
I've googled and came up with a code snippet that doesn't actually
work.
What is missing?
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
