On 4/10/21 8:52 AM, cseb...@gmail.com wrote: > >> Is it even possible to be secure in that way? This is, by definition, >> a MITM, and in order to be useful, it *will* have to decrypt >> everything. So if someone compromises the monitor, they get >> everything. > > Chris > > I hear all your security concerns and I'm aware of them. I *really* don't > want to have to > fight SSL. Encryption was the biggest concern and I'd rather not mess with > it to do something > useful. > > I've never used CloudFlare but if I'm not mistaken, it can be considered a > useful "MITM" service? > Do they have to decrypt traffic and increase the attack surface to be useful?
Cloudfare does not do any kind of MITM stuff. Cloudfare requires some set up on the part of the server owner, and that takes several forms. One recommended method is have Cloudfare sign a special certificate that you install on your web server, which encrypts between your server and Cloudfare. Then you provide cloudfare with an SSL certificate and key to use when they serve up your site to the world. > I just want to create a "safe" MITM service so to speak. For my own purposes, sometimes I'll create a limited, wildcard certificate signed by my own authority which works only in my own browser (this is the same technique used by certain regimes to MITM the entire country!). The proxy then uses that certificate. It's useful for some debugging tasks. Or alternatively I'll create a proxy intended to run on localhost only that proxies an encrypted source to a local, non-encrypted channel. For example, I might want to examine why a connection to an IMAPS port is failing. So I'll proxy IMAPS to IMAP so I can sniff the IMAP locally to find out why the interaction is failing. -- https://mail.python.org/mailman/listinfo/python-list
