tlsproxy (0.2, 2011-03-23)

back

tlsproxy is a simple TLS proxy for HTTPS which intercepts TLS connections and verifies the server certificate - if it changes it sends an error message back to the client, otherwise it forwards the traffic between server and client.

It’s designed to prevent man-in-the-middle attacks if an attacker can get a CA to sign a different server certificate for a website. As the browser has the CA’s certificate it verifies the new server certificate just fine and the user doesn’t know he’s talking to a different machine. tlsproxy prevents that.

It’s similar to Certificate Patrol (a Firefox plugin) but implemented as a proxy instead of a plugin, thus it works for all browsers (including wget, curl, etc.) or other programs using TLS (getmail, etc.).

It’s not very comfortable at the moment, you have to add the certificates manually for example, but should work fine.

Of course using a proxy isn’t the best solution to this problem. Instead all browsers and other programs using TLS should provide a similar interface to ensure the server certificate doesn’t change without the user noticing. Until this happens it can be used as a workaround.

A recent attack on a CA [1] which allowed attackers to create certificates for important websites clearly demonstrated that we need better server certificate validation in our browsers.

[1]: https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion

It’s important to know that tlsproxy does not perform any validation on the certificates you give it (by checking CAs, CRLs, etc.) - it only ensures that the certificate you give it is the only one used by the server. You must verify the server certificate on your own.

tlsproxy is licensed under GPL 3 (or later).

If you find any bugs or have suggestions please tell me at simon@ruderich.org.