question about basics of creating a PROXY to MONITOR network activity

[Michael Torrie]

On 4/10/21 8:52 AM, cseb... at gmail.com wrote:
> 
>> Is it even possible to be secure in that way? This is, by definition, 
>> a MITM, and in order to be useful, it *will* have to decrypt 
>> everything. So if someone compromises the monitor, they get 
>> everything. 
> 
> Chris
> 
> I hear all your security concerns and I'm aware of them.  I *really* don't want to have to
> fight SSL.  Encryption was the biggest concern and I'd rather not mess with it to do something 
> useful.
> 
> I've never used CloudFlare but if I'm not mistaken, it can be considered a useful "MITM" service?
> Do they have to decrypt traffic and increase the attack surface to be useful?

Cloudfare does not do any kind of MITM stuff.  Cloudfare requires some
set up on the part of the server owner, and that takes several forms.
One recommended method is have Cloudfare sign a special certificate that
you install on your web server, which encrypts between your server and
Cloudfare.  Then you provide cloudfare with an SSL certificate and key
to use when they serve up your site to the world.

> I just want to create a "safe" MITM service so to speak.

For my own purposes, sometimes I'll create a limited, wildcard
certificate signed by my own authority which works only in my own
browser (this is the same technique used by certain regimes to MITM the
entire country!).  The proxy then uses that certificate.  It's useful
for some debugging tasks.  Or alternatively I'll create a proxy intended
to run on localhost only that proxies an encrypted source to a local,
non-encrypted channel.  For example, I might want to examine why a
connection to an IMAPS port is failing.  So I'll proxy IMAPS to IMAP so
I can sniff the IMAP locally to find out why the interaction is failing.