Adam Back wrote:
On Tue, Jul 23, 2002 at 06:11:04PM +0000, Jason Holt wrote:
The default behavior for an SSL proxy is to pass the encrypted bytes back and forth, allowing you to connect all the way to the other server.
This isn't just the default behavior; it's the only defined behavior right?
However, it is possible for the proxy to have its own CA which has been added to your browser. Then it acts as a man in the middle and pretends to be the remote host to you, and vice versa. In that case, it works as you describe, watching the data during its interim decryption.
While it's _possible_ to do this, I've never heard of a server hosted application that advertises that it's doing this. I would think it would be quite hard to get a CA to issue you a certificate if this is what you intended to do with it (act as a general MITM on SSL connections you proxy).
Errr - its tricky anyway, coz the cert has to match the final destination, and, by definition almost, that can't be the proxy. I believe its pretty common for server farms to use SSL-enabled reverse proxies where the SSL terminates at the proxy. Different scenario, though. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff