Could someone explain the networking behind transparent proxies and MiTM snooping using certificates to me?

Submitted ⁨⁨1⁩ ⁨year⁩ ago⁩ by ⁨MigratingtoLemmy@lemmy.world⁩ to ⁨selfhosted@lemmy.world⁩

Hi everyone, I’ve been trying to understand how MiTM setups like a transparent proxy work.

Obviously, the use-case here is in a personal scope: I’d like to inspect the traffic of some of my machines. I am aware that Squid can be a transparent proxy, and some might use the Burp Suite to analyse network traffic.

Could someone explain the basic networking and the concept of certificates in this scenario? I feel like I don’t understand how certificates are used well enough.

For example: I realise that if someone inserts a root certificate in the certificate store of an OS, the machine trusts said CA, thus allowing encrypted traffic from the machine to be decrypted. However, say the machine was trying to access Amazon; won’t Amazon have its own certificate? I don’t know how I’m confused about such a simple matter. Would really appreciate your help!

source

Comments

Sort:hotnew top

surewhynotlem@lemmy.world ⁨1⁩ ⁨year⁩ ago
If you are acting as the proxy for the user, then all web requests go through you. A normal proxy would just forward those on to the Amazon (e.g.) server.

In your scenario, the proxy sends a cert to the client saying ‘I’m Amazon’, and the client believes it. The client talks to you like you’re Amazon, and you read all his messages. At the same time, you talk to Amazon pretending to be the user, so you can get all the correct Amazon responses to send back to the user.

source
- MigratingtoLemmy@lemmy.world ⁨1⁩ ⁨year⁩ ago
  
  the proxy sends a cert to the client saying ‘I’m Amazon’, and the client believes it
  
  Thanks, could you explain this a bit more? I didn’t understand what you mean by “sends a cert saying ‘I’m Amazon’”
  
  source
  - ShellMonkey@lemmy.socdojo.com ⁨1⁩ ⁨year⁩ ago
    A decrypting proxy acts like a local certificate authority and issues a certificate on behalf of the site to create one encrypted connection between the client and proxy while creating a second on with the original site on the other side.
    
    The client will get an error (or depending on the site and browser may refuse to connect at all in the case of pinned and pteloaded certificates) indicating that they’re connecting to a site with a certificate from an untrusted issued unless they’ve been configured to trust the CA held on the proxy.
    
    The ‘break’ between the client side connection and the server side connection will be in plaintext and can be examined through internal tools or sent to external ones typically through ICAP.
    
    source
    -> View More Comments
  - SheeEttin@lemmy.world ⁨1⁩ ⁨year⁩ ago
    That’s literally it. It sends a cert for amazon.com, that your client trusts, because the CA cert used to sign it is in your trusted store.
    
    source
    -> View More Comments
Decronym@lemmy.decronym.xyz ⁨1⁩ ⁨year⁩ ago
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters

DNS Domain Name Service/System

SSL Secure Sockets Layer, for transparent encryption

VPN Virtual Private Network

[Thread #237 for this sub, first seen 24th Oct 2023, 15:25] [FAQ] [Full list] [Contact] [Source code]

source

Fewer Letters	More Letters
DNS	Domain Name Service/System
SSL	Secure Sockets Layer, for transparent encryption
VPN	Virtual Private Network