
Show HN: A proxy service for debugging HTTP/S traffic - tarnacious_
https://debugproxy.com/
======
Matt3o12_
> debugProxy is a HTTP/S hosted proxy server that lets you interact with the
> traffic passing through it, using a web based dashboard.

So, when I use your proxy you can see and store my http and https traffic
(assuming I install the certificate in my device). Furthermore, all the
traffic from the my pc to your proxy is also transmitted unencrypted so
everyone who sits between my device and your proxy can see my traffic as well.

While this interface looks really cool and it is probably feature rich, I will
pass using it because of those privacy concerns. If anyone is interested in a
local http(s) proxy, check out mitmproxy[0] which is open source, runs locally
and is easy to install (I’m not affiliated with them, i use use mitmproxy
occasionally when Reverse Engineering am API).

[0]: [https://mitmproxy.org](https://mitmproxy.org)

~~~
tarnacious_
> So, when I use your proxy you can see and store my http and https traffic
> (assuming I install the certificate in my device).

Yes. Requests more than 20 minutes old are permanently deleted.

> Furthermore, all the traffic from the my pc to your proxy is also
> transmitted unencrypted so everyone who sits between my device and your
> proxy can see my traffic as well.

No, if you make HTTPS requests they are tunneled over TLS.

> While this interface looks really cool and it is probably feature rich,

Thanks. It isn't feature rich though, it's quite minimal.

> If anyone is interested in a local http(a) proxy, check out mitmproxy[0]
> which is open source, runs locally and is easy to install (I’m not
> affiliated with them, i use use mitmproxy occasionally when Reverse
> Engineering am API).

mitmproxy is indeed great, in fact, this service is build on mitmproxy
instances :)

~~~
throwaway2016a
> mitmproxy is indeed great, in fact, this service is build on mitmproxy
> instances :)

I can appreciate this. Pre-configured / zero config open source software as a
service is a useful thing. Not everyone wants to install, configure, and deal
with command line tools.

Are there tradeoffs? Sure. Would I personally make those tradeoffs? No. But I
am sure some people will.

~~~
tarnacious_
This is my thoughts too. I wouldn't think it is very useful to most
mitmproxy/fiddler/charles power users.

But not having to install something, find your IP address, open your firewall
etc, allows some users who don't want to do all this to start using a
debugging proxy without having to. I'm not sure how many of these users exist
though, we will see!

------
tarnacious_
Hi HN,

This is side project I have been working on with a friend. It's a pretty niche
service, so it isn't easy finding people to try it. I'm really interested to
hear what you think, for better or worse :) I'm also happy to answer any
questions.

~~~
mhils
Congrats on the launch and thanks for using mitmproxy! :-)

------
aggregator-ios
For those of you looking for a fully native experience or don’t want to deal
with a command line, checkout Peek: [https://peek.tools](https://peek.tools)

Just a few highlights:

\- Fully native iOS app

\- You can intercept traffic from any device and your data stays in Peek

\- Intercept traffic from other iOS apps on the same device, so you don’t need
a Mac or a 2nd iOS device

\- Modify requests and responses as they come in

Disclaimer: I am the creator. Would love to hear your feedback here or
support@peek.tools

~~~
nnd
How does it work? AFAIK you can't run a local webserver on iOS without a
jailbreak.

What's the benefit compared a traditional network setup with a MITM proxy?

~~~
IMcD23
You can run a web server on iOS, and you don’t need special entitlements to do
so. Depending on how you implement it, you may have problems keeping it alive
while the app is in the background, however.

------
steveharman
These guys never seem to get a mention when this subject surfaces. So I'll
address that:. [https://cloudmiddleman.com](https://cloudmiddleman.com)

Been using them for a couple of years, excellent support and new features keep
on coming to their already slick web UI.

~~~
tarnacious_
Thanks for the link. I couldn't find any services offering this when we
started building debugProxy. It's good to see there might be a viable business
model here :)

~~~
johns
There might be, but our experiences running our original product[0] are
contrary to that. Happy to chat about it if you’d like.

[0]:
[https://www.runscope.com/docs/debugging](https://www.runscope.com/docs/debugging)

~~~
tarnacious_
Hi John, thanks for the offer. I might take you up on that and email you in
coming days.

I learned of Runscope some time after I started building this, it looks very
interesting.

I too have doubts a proxy service like debugproxy will be very successful as
it is, mostly because using it is still very difficult and in some cases not
possible on various devices (buggy proxy implementations on early iPhones,
Android 7 not allowing root certificates to be added etc..)

I figured there are some other cool things you can do with a proxy though that
might be interesting. For example getting remote debugging working smoothly by
injecting a script into HTML pages sent through the proxy. Or going the other
way and proxy existing websites through a sub-domain of debugproxy.com, which
I used to do to demonstrate changes to clients websites.

I'll see what feedback I get in the coming weeks and decide what to do, if
anything, from there.

~~~
johns
Email is in the profile if you ever want to chat

------
nnd
Great execution, I had the same idea a while ago after playing with mitmproxy.
My concern would be that people would tentative towards using it as you can
tamper with requests on the server which they don't have control of.

~~~
tarnacious_
Thanks! I figured (most) people were pretty fast and loose with their security
these days, so that wasn't my concern. I've found the problem is that it still
isn't easy to use, you still need to configure a proxy with credentials and
install a root certificate to proxy HTTPS traffic. Lots of vistors to
debugproxy today, not that many requests through proxy.

------
bencevans
Interface looks cool but what benefits are there over using mitmproxy?

~~~
tarnacious_
> Interface looks cool

Thanks, glad you think so :)

> what benefits are there over using mitmproxy?

With mitmproxy you can do almost everything you can do with debugProxy and a
lot more.

The main benefit is you don't need to install anything. Also you can proxy
requests from clients outside your local network (if you are behind a NAT
router, for example).

------
fori1to10
You cannot install this thing locally?

------
fiatjaf
I thought this would be something that would run in my own machine.

~~~
tarnacious_
As others have suggested mitmproxy[1] is great for this.

[https://mitmproxy.org/](https://mitmproxy.org/)

------
mateuszf
Any advantages over mitmproxy?

------
whathaschanged
How is this better than Charles or Fiddler?

~~~
tarnacious_
It's not "better". It's a hosted alternative.

------
gressquel
Moderns app use SSL pinning, same with big websites using HSTS. So this won't
really decrypt HTTPS traffic

~~~
throwaway2016a
You may be a little optimistic here. Just because the technology exists does
not mean everyone uses it.

I use a MITM proxy to reverse engineer my IoT apps all the time (a lot of them
don't provide public APIs but I want to use them from my controller app). I
have not once ran into one that used pinning.

~~~
nnd
Most of the popular consumer apps use SSL pinning these days.

~~~
throwaway2016a
Is that a fact or assumption? Do you have a source?

That's not a jab at you I am legitimately interested in reading it if you have
a source.

I have literally not found one I cared about doing a MitM exploit on that
actually did it. Granted I haven't tried social networks because my interest
lies mostly in apps that don't have public APIs and most social Networks have
APIs.

I won't say who they are because this is not the right venue but I can say for
certain that neither my bank or my alarm company uses pinning.

~~~
nnd
From personal experience reverse-engineering apps: whatsapp, facebook,
twitter, skype, uber, snapchat, instagram - all pinned. The trend is
definitely there, more and more apps adopt certificate pinning.

