SSL Decryption/Spoofing
The app is able to decrypt SSL and spoof the remote site certificate. It acts as a MITM (sitting between client and remote server) decrypting HTTPS communication on-the-fly without a client spotting any difference.
Disclaimer
This app was build solely for educational purposes. I did that to learn how the SSL encryption can be done. Author doesn't take any responsibility for misuse of this project.
Prerequisites
- Client must have the self-signed CA cert installed in Chrome/system
- Client must have set the transparent (system/browser) proxy pointing at this app
Details
- See
conf/configuration.go
for configuration options - In default the transparent proxy runs on 0.0.0.0:8080
- In default the internal web server for SSL spoofing runs on 0.0.0.0:8443
Setup
Generate certification authority (https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/)
openssl genrsa -des3 -out myCA.key 2048
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem
- Configure the app to use these generated key and cert
- Run the app
- Import the myCA.pem into Chrome under
Trusted Root Certification Authorities
(windows) or into the key-chain (Mac) - More details can be found here - Setup the HTTPS proxy (e.g. using SwitchyOmega)
- Test going to an HTTPS site and check the certificate details. They should resemble what is in
crypto/spoof.go#spoofCertificate
How do I find if it's working?
- HTTPS pages render fine in the chrome browser (no security warning)
- After clicking the small lock icon next to the domain in the address bar and selecting Certificate option you should see the spoofed cert
- Logs of the app should show connections going through
Sources used during the implementation