0

mitmproxy

A few words of praise for mitmproxy.  This useful tool lets you monitor TLS-encrypted communications from a device, provided you can install a trusted Certificate Authority (CA) key on it (and provided the application on the device accepts TLS certificates signed by this CA key).

The idea is that TCP traffic from the device, and HTTP traffic in particular, is routed through mitmproxy.  Whenever the device acts as TLS client to establish a TLS connection with a TLS server, mitmproxy intercepts the certificate that the server returns, extracts the Common Name and Subject Alternative Name fields, copies those into a new certificate with a public key for which it knows the private key, and signs this new certificate using the mitmproxy CA key before passing it back to the device.  In this way the device believes it is communicating with the TLS server it was expecting, while mitmproxy can establish a link with the TLS server, and forward device traffic to the server, and server traffic to the device, while logging both. In fact, mitmproxy generates a 2048-bit RSA key as CA key when it first runs, and uses this same key on subsequent runs.  The certificates it generates for TLS sessions are RSA keys, with the same cryptographic parameters as the CA key.

mitmproxy is open source, and can be installed to run on Linux, OS X or Windows, and the target device can be a computer running one of those operating systems or iOS or Android device – there are doubtless other possibilities.  The code is written in Python, and uses the pyOpenSSL library for its cryptography.  The excellent documentation includes advice on how to install the mitmproxy CA key on the target – this can usually be done easily by browsing to mitm.it and selecting the appropriately formatted CA key from the page that mitproxy returns.  Traffic from the device can by routed to mitmproxy by explicitly setting up an HTTP proxy in the device, or transparently by setting up the device to use the IP address of the machine running mitmproxy as gateway: in this latter case, some additional setup is required for mitmproxy to discover the correct destination host name. Other proxy modes are available too.

While mitmproxy is primarily organised around capturing HTTP/HTTPS traffic, it can also be configured to decrypt and log non-HTTP TLS traffic.  And it is not limited to passive capture: powerful addons can be programmed (in Python) to add active manipulation of data.

Chapel Cottage  ○  Broadchalke  ○  Salisbury  ○  Wiltshire  ○  England  SP5 5EN  ○  (enable javascript for e-mail address) (enable javascript for e-mail address) ○  01722 780102  (+44 1722 780102)   
 ○  01722 780102  (+44 1722 780102)