Man
Professional
- Messages
- 3,093
- Reaction score
- 635
- Points
- 113
The release of the Mitmproxy 11 project is presented, which develops a toolkit for intercepting traffic inside connections established over HTTPS, with the ability to inspect, modify and replay traffic. The main purpose of Mitmproxy is to monitor traffic in corporate systems and diagnose problems, such as detecting hidden network activity of applications. The source code of the project is written in Python and is distributed under the MIT license.
To analyze HTTPS traffic, Mitmproxy is hosted on a transit node, where it intercepts client requests and translates them into requests sent from itself to the target server. Mitmproxy establishes a regular HTTPS connection with the server requested during the client session, and a fictitious connection is established with the client on behalf of the target server with a fake SSL certificate generated for the client on the fly. Traffic received from the client is redirected to the target server, and the responses are broadcast back to the client.
Several methods are supported for redirecting traffic through mitmproxy, such as specifying the mitmproxy address as an HTTP proxy in the browser settings, working as a SOCKS5 proxy, using as a reverse proxy in front of the HTTP server, and organizing transparent forwarding using packet filter rules or routing wrapping. In order to prevent the dummy certificate used when connecting to the client from causing the browser to display warnings about problems with the security of the connection, the user is offered to install a root mitmpproxy certificate on the user's system, which can be done either manually or by opening a special host mitm.it in the browser.
Mitmproxy supports HTTP/2, HTTP/3, Websockets, normalization of packet order in the stream, connection of handler scripts to modify traffic on the fly, saving requests for further replay, generation of TLS certificates for intercepted sessions, clearing of modification time headers to disable client-side caching, Reverse proxy mode to redirect traffic to the server, Block lists to filter out specific requests, selective redirection of requests (including for sending local files in response), and modifying content and headers based on regular expressions. For traffic analysis, we offer a command-line utility similar to tcpdump mitmdump and a web interface called mitmweb.
The key improvement in the new version is full support for the HTTP/3 protocol, which uses the QUIC (Quick UDP Internet Connections) protocol as a transport for HTTP/2 (QUIC is an add-on to the UDP protocol that supports multiplexing of multiple connections and provides encryption methods equivalent to TLS/SSL). In Mitmproxy for HTTP/3, you can use both transparent traffic interception and work as a reverse proxy. HTTP/3 interception has been tested in Firefox, Chrome, and various versions of cURL.
Other notable changes in the new branch are related to the improvement of DNS support in the context of placing DNS records for HTTPS and ECH (Encrypted Client Hello). The new version adds support for querying DNS records other than A/AAAA (for example, in ECH, information about the public key of encryptionI am passed to the HTTPSSVC DNS records). Added a mode for cleaning ECH keys from HTTPS records in DNS. To work with DNS, a transition was made to the Hickory library, written in the Rust language and developed by the Let's Encrypt project. Added support for DNS-over-TCP. Implemented an option to disable the processing of settings from /etc/hosts.
To analyze HTTPS traffic, Mitmproxy is hosted on a transit node, where it intercepts client requests and translates them into requests sent from itself to the target server. Mitmproxy establishes a regular HTTPS connection with the server requested during the client session, and a fictitious connection is established with the client on behalf of the target server with a fake SSL certificate generated for the client on the fly. Traffic received from the client is redirected to the target server, and the responses are broadcast back to the client.
Several methods are supported for redirecting traffic through mitmproxy, such as specifying the mitmproxy address as an HTTP proxy in the browser settings, working as a SOCKS5 proxy, using as a reverse proxy in front of the HTTP server, and organizing transparent forwarding using packet filter rules or routing wrapping. In order to prevent the dummy certificate used when connecting to the client from causing the browser to display warnings about problems with the security of the connection, the user is offered to install a root mitmpproxy certificate on the user's system, which can be done either manually or by opening a special host mitm.it in the browser.
Mitmproxy supports HTTP/2, HTTP/3, Websockets, normalization of packet order in the stream, connection of handler scripts to modify traffic on the fly, saving requests for further replay, generation of TLS certificates for intercepted sessions, clearing of modification time headers to disable client-side caching, Reverse proxy mode to redirect traffic to the server, Block lists to filter out specific requests, selective redirection of requests (including for sending local files in response), and modifying content and headers based on regular expressions. For traffic analysis, we offer a command-line utility similar to tcpdump mitmdump and a web interface called mitmweb.
The key improvement in the new version is full support for the HTTP/3 protocol, which uses the QUIC (Quick UDP Internet Connections) protocol as a transport for HTTP/2 (QUIC is an add-on to the UDP protocol that supports multiplexing of multiple connections and provides encryption methods equivalent to TLS/SSL). In Mitmproxy for HTTP/3, you can use both transparent traffic interception and work as a reverse proxy. HTTP/3 interception has been tested in Firefox, Chrome, and various versions of cURL.
Other notable changes in the new branch are related to the improvement of DNS support in the context of placing DNS records for HTTPS and ECH (Encrypted Client Hello). The new version adds support for querying DNS records other than A/AAAA (for example, in ECH, information about the public key of encryptionI am passed to the HTTPSSVC DNS records). Added a mode for cleaning ECH keys from HTTPS records in DNS. To work with DNS, a transition was made to the Hickory library, written in the Rust language and developed by the Let's Encrypt project. Added support for DNS-over-TCP. Implemented an option to disable the processing of settings from /etc/hosts.
