2004-10-28 · in Ideas, Done · 235 words

Filtering proxies like Privoxy are extremely useful for people who want to alter the content of web pages before they see them, but they can't currently do anything about pages served by SSL: SSL proxies just pass TCP connections through. With a bit of certificate manipulation, though, it would be possible to alter the content of SSL pages in a proxy.

The trick would be for the proxy to be a CA. The user would grab a CA client certificate from the proxy (using a magic URL) and install it in their browser as a trusted CA. The proxy could then generate synthetic certificates on the fly for SSL sites that the browser would trust. This would allow real SSL proxying: the browser would talk via SSL to the proxy using certificates generated by the proxy, and the proxy would talk via SSL to the requested sites using (and verifying) their own certificates.

It would even be possible for the proxy to deal with existing clients that use CONNECT for SSL proxies, by starting an SSL session and accepting the incoming HTTP request. Institutions that want to guarantee that their CONNECT proxies are only being used for real HTTP might find this useful.

This has apparently (as of 2009) been implemented in Palo Alto Networks' PA-4000 -- although the fact that I heard about it through RISKS Digest suggests it's perhaps not a terribly good idea...