Hardcoded CA Certificate

Question

Hardcoded CA Certificate

bpsizemore opened this issue 5 years ago · 5 comments

The CA Cert in the coreproxy_settings.go file is static and not something that gets generated. Anyone who trusts the Cert in order to capture HTTPS traffic will be vulnerable to using unverified sites later.

Example site signed with the hardcoded CA https://proxy.lf.lc/

Answer 1 · 2020-02-14T15:56:41.000Z

This is mostly an issue with the Releases since someone could easily use their own when building themselves, but I think it might make sense to pull it out into a config file.

Answer 2 · 2020-02-15T10:02:46.000Z

Yes sure, this is going to change in the next iteration.

Answer 3 · 2020-06-30T19:42:49.000Z

I have finally released the version I was working on and this issue is now fixed.

Answer 4 · 2020-08-08T04:07:36.000Z

Really looking forward to seeing where this project goes and hopefully lending a hand where I can once you are ready for some more contributors. Burp has so many bugs and a terrible UI so I'm rooting for Broxy!

Answer 5 · 2020-08-10T09:49:36.000Z

Thanks. The user interface is definitely an important aspect, for the time being I decided to implement something that looks like Burp to see if the whole thing would actually work. As for the contribution, I have been thinking about it but I don't really know how to organize it at this time. I guess that if you have an idea on a specific component\module and how to implement it (for example how to make the UI more accessible) you might open an issue that can be discussed here on GitHub.