Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
A python-based proxy that uses Perspectives to detect and thwart SSL MITM attacks.
Python Shell
branch: python-2.6

This branch is 52 commits behind master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
Perspectives
unittests
.gitmodules
CertificateAuthority.py
PerProxy-whitelist.txt
PerProxy.conf
PerProxy.py
README
Server.py
WhiteList.py
error_template.html
http_notary_list.txt
logging.config
m2crypto-create-ca.py
notary-query.py

README

PerProxy is a HTTPS proxy that uses Perspectives [1] to monitor
SSL connections, detect and thwart SSL attempts using fradulent
certificates (e.g. [3,4]). It is not in any way intended to replace
the Perspectives Firefox extension [2], but to serve in instances when
the extension cannot be used (e.g. you are using another browser, a
version of Firefox that doesn't support the extension).

Note that PerProxy has only been tested with Firefox 4.x at this
time. It is most defintely a work in progress. Use at your own risk.

PerProxy acts as a SSL MITM, accepting SSL credentials from the
browser and making certificates on the fly to imitate the expected
server. As such, to use PerProxy, the first step is to create a CA
certificate for it to use:

./m2crypto-create-ca.py

Then you need to load the newly create CA certificate into your
browser. With FireFox, you just need to open the certificate, e.g. use
a URL such as:

file:///path/to/PerProxy/ca-cert.crt

And you will be prompted and walked through the process.

Then you can fire up PerProxy (use '-d' for debug mode will probably
be most useful):

./PerProxy -d

Then configure your web browser to use port localhost:8080 as a HTTPS
proxy. With FireFox this is under Preferences, Advanced, Network,
Connection, Settings. Select "Manual proxy configuration" and for "SSL
Proxy" enter "localhost" and "8080". Click OK to save. (Using an
add-on such as QuickProxy will let you turn this setting on and off
easily.)

Now connect to an HTTPS website and watch the output from PerProxy.

Please report comments, issues, bugs, etc. at https://github.com/von/PerProxy

--------------------

Prerequisites:

* M2Crypto: http://chandlerproject.org/Projects/MeTooCrypto

* argparse: https://code.google.com/p/argparse/  - comes with Python 2.7+

--------------------

Here is how PerProxy currently works:

* It acts as an HTTPS proxy, receiving and parsing a CONNECT message
from the client browser to obtain the target hostname.

* It connects to the target server.

** If the target server's certificate is in the cache, it proceeds.

** If the target server's certificate is not in the cache, it queries
Perspectives notaries to validate the target server certificate. On
success it puts the certificate into the cache.

** On failure, an error is returned to the client browser (see Note
below) and the connection is closed.

* A SSL conection is established back to the client and all data is
passed through between the two.

Note: All error handling is very rudimentary right now. PerProxy will
print logs as things happen to stdout and a HTML web page is returned
to the client. The HTML will be displayed only for primary pages
though, if the request is for an image or other element of a page, it
likely gets swallowed by the browser.

--------------------

This code is freely distributed under an MIT license [6].

--------------------

[1] http://www.networknotary.org/
[2] http://www.networknotary.org/firefox.html
[3] https://www.eff.org/deeplinks/2011/03/iranian-hackers-obtain-fraudulent-https
[4] http://crypto.stanford.edu/ssl-mitm/
[5] https://github.com/danwent/Perspectives-Server
[6] http://www.opensource.org/licenses/mit-license.php

Something went wrong with that request. Please try again.