https proxy

[Peter Hansen]

Paul Sweeney wrote:
> Simon Dahlbacka wrote:
> 
>>hmm, I thought the _purpose_ of using https was to make it relatively
>>impossible to view the unencrypted data being the "man in the middle"..
> 
> It's certainly not impossible, there are tools like Paros for java which do
> the job, the browser sets up an http connection with the proxy (using the
> proxy's built in certificate), and the proxy then sets up an https
> connection with the destination server, but the data is unencrypted in the
> proxy before being re-encrypted to send to the destination server.
> 
> What is (virtually) impossible is to intercept and do a "man in the middle"
> attack on an existing connect.  I don't want to intercept stuff on the net,
> just see what the browser on my machine is sending/receiving

It sounds like you want either to see the raw data stream (the
encrypted stuff), or you want to see the unencrypted data that
the browser would be sending if it weren't using https.  It's
still unclear.  If the latter, why not use Paros, since you seem
to know about it and how it works?

(The reason your request is unclear is because your first message
talks about seeing the "unencrypted data being sent from [your]
browser to an https site" and yet obviously, as you know, there
is no unencrypted data going to the https site...  But since you
certainly know this, it makes it unclear just which you are
requesting.)

-Peter