A basic/newbie question on https.

#1 (**permalink**) 01-31-2008, 12:55 AM

Hello,

Let's say, I can securely log into https://<URL> site using username
'u1' and password 'p1' from within a browser.

1. Is it possible to write a proxy
* that runs on my client machine,
* that the browser on the same client machine points to,
* that intercepts another username/password pair -- u2/p2 --
entered on the login page of the site and transforms it to u1/p1 so
that the user authentication can happen ?

Basically, what I'm trying to accomplish is temporarily allow a user
to log into https://<URL> without actually divulging the real username/
password (u1/p1). (I would validate u2/p2 within the above proxy so
that only the users I allow can access the site.)

This proxy could either be a stand-alone program, or a browser plugin.
I know https is a secure protocol; what I don't know is the point at
which the encryption occurs and whether or not this point is late
enough to allow interception from the browsing machine... whether a
browser would allow hooks / interception API without compromising the
motivations/goals of the https protocol.

2. Also, any recommendations for a 'good' open-source http proxy?
Muffin seems to be very old project. Proxomitron is superb but is not
opensource!

Many thanks in advance,
/HS

#2 (**permalink**) 01-31-2008, 03:56 AM

Harry <simonsharry@gmail.com> writes:
> Hello,
>
> Let's say, I can securely log into https://<URL> site using username
> 'u1' and password 'p1' from within a browser.
>
> 1. Is it possible to write a proxy
> * that runs on my client machine,
> * that the browser on the same client machine points to,
> * that intercepts another username/password pair -- u2/p2 --
> entered on the login page of the site and transforms it to u1/p1 so
> that the user authentication can happen ?

parosproxy.org

Yes. Paros Proxy can do this. "Replace http request header using
defined pattern" or "replace http request body using defined pattern"
are the functions you could leverage for this depending on how the
username is passed.

> Basically, what I'm trying to accomplish is temporarily allow a user
> to log into https://<URL> without actually divulging the real username/
> password (u1/p1). (I would validate u2/p2 within the above proxy so
> that only the users I allow can access the site.)

So this user is going to be using the workstation this proxy is
running on? Paros isn't a service or anything--it's designed as an
interactive web proxy program, but I suppose you could modify it to
run quietly and demurely as a service. Or if you're on a multi user
machine, run it as another user.

> This proxy could either be a stand-alone program, or a browser plugin.
> I know https is a secure protocol; what I don't know is the point at
> which the encryption occurs and whether or not this point is late
> enough to allow interception from the browsing machine... whether a
> browser would allow hooks / interception API without compromising the
> motivations/goals of the https protocol.

https is easy to man in the middle if you've got control of the client
machine. Dumbing down the browser enough not to freak out at the
certificate mismatch between paros's internal cert vs the destination
site's name will be one issue. Even if not dumbed down, a frightening
number of users will just okay the cert warning anyway.

Best Regards,
--
Todd H.
http://www.toddh.net/