Capture HTTPS Traffic without decryption of SSL connection


#1

Hi,
I have setup mitmproxy in transparent mode with all HTTP/HTTPS traffic routed to my proxy through firewall. I want to see HTTPS requests without decrypting it as I do not have any requisite certificates for domains.

Is there any command line option to mitmproxy to make pass through settings to see what HTTPS requests being made from connected clients. just HTTP/HTTPS requests without any decryption.

Thanks
Chandra


#2

Mitmproxy cannot view the contents of TLS-protected sessions without performing a man-in-the-middle attack. If we could, that’d be a major security vulnerability in TLS.


#3

Thanks Max!
Can’t we even sees the HTTPS requests (whole URLs) being made by connected clients?

Thanks
Chandra


#4

No, all data – including the URL – is protected by TLS.


#5

Thanks Max for details.


#6

then how sonicwall is doing this job without installing SSL certificate in the browser?


#7

I don’t know what sonicwall is doing, but one alternative would be to e.g. do IP-based filtering, as metadata is unprotected.


#8

Appliances like Sonicwall that do SSL inspection essentially break the SSL tunnel between the browser and the end site and form 2 tunnels:
Browser <=> SSL Inspection Module <=> Website

So the SSL inspector (if its configured to do so) creates a session between the browser and its self, then creates a session between its self and the website, so everything is visible to it, but still ‘encrypted’. But your browsers session is with the SSL inspector, not the website.


#9

This is also how mitmproxy works, and this requires you to install a certificate on the client (in contrast to what @ericj1977 said).


#10

Hi, I have a question regarding usage of MITM proxy with BrowserStack infrastructure.

We test mobile applications, and for automation purposes we decided to use MITM proxy and BrowserStack. Browserstack doesn’t allow to install the certificates on the devices, so MITM proxy won’t intercept HTTPS requests. There is a script which is downloaded using secured connection as soon as our mobile test app is opened. MITM ignores this request, so we can’t use this mobile application at all.

As @mhils says that MITM can’t track HTTPS requests without certificate being installed on the devices, does it mean that MITM can’t be used in BrowserStack infrastructure in our case?

Thank you in advance for the answer.