Web Proxy Client with HTTPS - TCP-IP

This is a discussion on Web Proxy Client with HTTPS - TCP-IP ; Hello, I've been asked if my application can be used over a Proxy Client. A quick study seems to imply that this could allow a man-in-the-middle attack by the Proxy Service. Is that correct? I presume the customer wants to ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Web Proxy Client with HTTPS

  1. Web Proxy Client with HTTPS

    Hello,

    I've been asked if my application can be used over a
    Proxy Client. A quick study seems to imply that this
    could allow a man-in-the-middle attack by the Proxy
    Service. Is that correct? I presume the customer
    wants to legitamately monitor activity. I use a
    secure web (HTTPS) connection to talk with my
    secure servers.

    David

  2. Re: Web Proxy Client with HTTPS

    On Sep 18, 1:48 am, "Eagle" wrote:
    > Hello,
    >
    > I've been asked if my application can be used over a
    > Proxy Client. A quick study seems to imply that this
    > could allow a man-in-the-middle attack by the Proxy
    > Service. Is that correct? I presume the customer
    > wants to legitamately monitor activity. I use a
    > secure web (HTTPS) connection to talk with my
    > secure servers.
    >


    HTTPS should prevent man in the middle attack. Unlike HTTP, HTTPS
    connections are handled via the CONNECT method which simply relays
    binary data between the client and server. In theory the proxy server
    can fake the CONNECT and do a man in the middle attack (indeed there
    are products out there that have this as a "feature") but doing so
    will result in a certificate error. Just tell your customer to never
    ignore certificate errors. Another safety precaution is to tell your
    customer to accept your certificate *permanently* the first time he
    connects. That way the client software can detect certificate changes
    better -- if a window even pops up then he should be suspicious even
    if its not an error window.


  3. Re: Web Proxy Client with HTTPS

    Thank you. I was wondering how a proxy could exist in-stream
    and not behave as a man-in-the-middle. I believe that fits
    well -- we keep secure conversations and they get to insure
    we only contact the stated secure web sites. BTW, my client
    application won't talk unless the certificates are recognized.

    David

+ Reply to Thread