https proxy

Paul Sweeney reverse.ku.oc.issolok at nothypgnal.delrest.co.uk
Tue Jul 27 13:18:08 EDT 2004 

Peter Hansen wrote:
> Paul Sweeney wrote:
> > Simon Dahlbacka wrote:
> >
> >>hmm, I thought the _purpose_ of using https was to make it relatively
> >>impossible to view the unencrypted data being the "man in the middle"..
> >
> > It's certainly not impossible, there are tools like Paros for java which
do
> > the job, the browser sets up an http connection with the proxy (using
the
> > proxy's built in certificate), and the proxy then sets up an https
> > connection with the destination server, but the data is unencrypted in
the
> > proxy before being re-encrypted to send to the destination server.
> >
> > What is (virtually) impossible is to intercept and do a "man in the
middle"
> > attack on an existing connect.  I don't want to intercept stuff on the
net,
> > just see what the browser on my machine is sending/receiving
>
> It sounds like you want either to see the raw data stream (the
> encrypted stuff), or you want to see the unencrypted data that
> the browser would be sending if it weren't using https.  It's
> still unclear.  If the latter, why not use Paros, since you seem
> to know about it and how it works?
>
> (The reason your request is unclear is because your first message
> talks about seeing the "unencrypted data being sent from [your]
> browser to an https site" and yet obviously, as you know, there
> is no unencrypted data going to the https site...  But since you
> certainly know this, it makes it unclear just which you are
> requesting.)
>
> -Peter

Ok, apologies, let me try to explain it more clearly.

I wish to access an https:// site using my browser and click around it.  I
wish to see the http(s) GET urls and http(s) POST urls and data which are
being sent to the https server.  If the site were an http:// site I would
use a tool like ethereal to see what was going on, but this data is sent
encrypted from the browser due to the https connection, so I'll just see the
encrypted data. So I need a tool to view the unencrypted form of the data
which is being sent encrypted (sorry for being unclear about the "unecrypted
data" in my last post, I hope this is better).

I have and could use a tool like Paros, but it is java and (need I say
more?):

a) I love Python (:-D) ...
b) ... seriously, I'd like to be able to play with the source code to record
the gets and posts for later replay in a python based retriever tool.

Thanks for your interest in this thread.

Paul Sweeney

More information about the Python-list mailing list