On Tue, Jul 23, 2002 at 06:11:04PM +0000, Jason Holt wrote:
The default behavior for an SSL proxy is to pass the encrypted bytes back and forth, allowing you to connect all the way to the other server.
This isn't just the default behavior; it's the only defined behavior right?
However, it is possible for the proxy to have its own CA which has been added to your browser. Then it acts as a man in the middle and pretends to be the remote host to you, and vice versa. In that case, it works as you describe, watching the data during its interim decryption.
While it's _possible_ to do this, I've never heard of a server hosted application that advertises that it's doing this. I would think it would be quite hard to get a CA to issue you a certificate if this is what you intended to do with it (act as a general MITM on SSL connections you proxy). There have been applications which do this locally eg. a no longer shipped product called SafePassage by c2.net, and achilles a SSL debugger both of which are local proxies and both of which ask the user to install a certificate allowing this when they are installed. The installed certificate is self-signed however, and not issued by a CA, as it is only valid for that user machine anyway, the user won't want to buy a cert to authenticate information to their own machine, it would be less secure to do so, and the user won't want to pay for this certificate.
Typically, the proxy would give you generic certificates (like "*.com"),
Is there any software actually doing this? (I know wild card certs are available, but would think a wild card cert on .com would be a very dangerous thing for a CA to issue, and you'd hope browsers would be smart enough to reject such certs).
but it could conceivably generate a certificate for each site you visit ("secure.yahoo.com", etc.).
This is what SafePassage et al do. Adam