PerProxy is a HTTPS proxy that uses Perspectives [1] to monitor SSL connections, detect and thwart SSL attempts using fradulent certificates (e.g. [3,4]). It is not in any way intended to replace the Perspectives Firefox extension [2], but to serve in instances when the extension cannot be used (e.g. you are using another browser, a version of Firefox that doesn't support the extension). Note that PerProxy has only been tested with Firefox 4.x at this time. It is most defintely a work in progress. Use at your own risk. PerProxy acts as a SSL MITM, accepting SSL credentials from the browser and making certificates on the fly to imitate the expected server. As such, to use PerProxy, the first step is to create a CA certificate for it to use: ./m2crypto-create-ca.py Then you need to load the newly create CA certificate into your browser. With FireFox, you just need to open the certificate, e.g. use a URL such as: file:///path/to/PerProxy/ca-cert.crt And you will be prompted and walked through the process. Then you can fire up PerProxy (use '-d' for debug mode will probably be most useful): ./PerProxy -d Then configure your web browser to use port localhost:8080 as a HTTPS proxy. With FireFox this is under Preferences, Advanced, Network, Connection, Settings. Select "Manual proxy configuration" and for "SSL Proxy" enter "localhost" and "8080". Click OK to save. (Using an add-on such as QuickProxy will let you turn this setting on and off easily.) Now connect to an HTTPS website and watch the output from PerProxy. Please report comments, issues, bugs, etc. at https://github.com/von/PerProxy -------------------- Here is how PerProxy currently works: * It acts as an HTTPS proxy, receiving and parsing a CONNECT message from the client browser to obtain the target hostname. * It connects to the target server. ** If the target server's certificate is in the cache, it proceeds. ** If the target server's certificate is not in the cache, it queries Perspectives notaries to validate the target server certificate. On success it puts the certificate into the cache. ** On failure, an error is returned to the client browser (see Note below) and the connection is closed. * A SSL conection is established back to the client and all data is passed through between the two. Note: All error handling is very rudimentary right now. PerProxy will print logs as things happen to stdout and a HTML web page is returned to the client. The HTML will be displayed only for primary pages though, if the request is for an image or other element of a page, it likely gets swallowed by the browser. -------------------- This code is freely distributed under an MIT license [6]. -------------------- [1] http://www.networknotary.org/ [2] http://www.networknotary.org/firefox.html [3] https://www.eff.org/deeplinks/2011/03/iranian-hackers-obtain-fraudulent-https [4] http://crypto.stanford.edu/ssl-mitm/ [5] https://github.com/danwent/Perspectives-Server [6] http://www.opensource.org/licenses/mit-license.php