
Mitmproxy - an SSL-capable man-in-the-middle proxy - bound008
http://mitmproxy.org/
======
alt_
Not to be confused with mitm-proxy[1], which is java-based.

For diagnostics I'd prefer something like Paros[2], Burp[3] or WebScarab[4],
which has a graphical interface, but this one seems to offer a quite nice
scripting API which I'll have to take a closer look at.

[1] <http://crypto.stanford.edu/ssl-mitm/>

[2] <http://www.parosproxy.org/>

[3] <http://www.portswigger.net/burp/proxy.html>

[4]
[https://www.owasp.org/index.php/Category:OWASP_WebScarab_Pro...](https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project)

~~~
thspimpolds
Burp is fantastic. The free version is great, the paid version (which is very
cheap) is even better. All our developers use burp to catch traffic between
their development simulators and the testbed for debugging.

~~~
squeed
Agreed, I've also used Burp to great effect. I'm glad this field is getting a
lot of attention.

------
mdp
This looks very cool. I've been working on a similar project built on top of
Node.Js and Connect (<https://github.com/mdp/middlefiddle>)

It lets you use Connect compatible middleware to alter the request or response
-
([https://github.com/mdp/middlefiddle/blob/master/.middlefiddl...](https://github.com/mdp/middlefiddle/blob/master/.middlefiddle/sites/ft.com.coffee))

There's a bunch of these proxies out there, and they all provide something
different, but if you're just looking to inspect the HTTPS request, I'd also
recommend the excellent Charles Web Proxy - <http://www.charlesproxy.com/> \-
I bought a copy years ago, and it's been invaluable.

------
XERQ
Fortinet has a similar feature for the Fortigates. You can have the SSL cert
(ex: secure.yourcompany.com) be presented from an IP bound to the firewall and
be able to read all communications between the client and server. I'm not sure
if the same applies to a certificate you don't own (ex: mail.google.com) for
the same purpose.

~~~
icebraining
Squid can do that too; and if you give it your own CA cert, it can dynamically
generate certs with the right domain to prevent browser errors.

<http://wiki.squid-cache.org/Features/SslBump>

<http://wiki.squid-cache.org/Features/DynamicSslCert>

------
keeperofdakeys
For those interested, there was a talk about mitmproxy at linxu.conf.au 2012,
a linux conference in Australia.

<http://www.youtube.com/watch?v=kQ1-0G90lQg>

------
rlpb
Also see: <https://github.com/moxie0/sslsniff>

------
pagekalisedown
Another good one (free): <http://www.tcpcatcher.org/>

------
bound008
another great use is for diagnosing mobile applications (including ones you
did not write) without needing to sniff wpa2 traffic. also, even as just a
startup of 15 people, we use wpa2 enterprise to avoid such simple wireshark
usage.

