

How I Indexed The Daily (HTTP proxying using Charles for Mac) - conesus
http://waxy.org/2011/02/how_i_indexed_the_daily/

======
pyre
Note: Trusting the cert @ <http://charlesproxy.com/charles.crt> could open you
up to MitM attacks by other people using Charles. (This is assuming that it's
a global cert for all Charles installs, which is what it sounds like from the
article)

------
fdb
I didn't know about the Charles tool. I've installed it and it really acts
like a microscope for HTTP; sort of like Wireshark but higher-level.

The ability to debug SSL is definitely the killer feature, though.

------
iuguy
Charles is a reasonably ok tool, but if you want the equivalent of Charles on
steroids, we use Burp Suite Pro (<http://www.portswigger.net/>) at
Mandalorian.

Burp suite pro costs about $200 and is worth every penny for both web app
security testing and general web debugging. There's also a free version for
personal use with a few things disabled, but still perfectly useful for
debugging web apps.

------
jipumarino
Depending on your specific requirements, I recommend HTTP Scoop
(<http://www.tuffcode.com/>) for Mac OS X ($15). Not as feature packed, but
it's been more than enough for my needs. It also does not require one to
change the global network settings.

~~~
mattfawcett
Scoop does not support viewing HTTPS traffic though as it just listens on the
network interface rather than acting as a proxy.

------
brokentone
Good writeup on the service. Too bad to hear it won't be continuing. The Daily
needs to figure out information archival both in device and on their website.

------
bkaid
Any suggestions on how The Daily (or others) could prevent people from using
tools like Charles to capture SSL traffic?

~~~
moeffju
They could verify the server's certificate. Even if the user installs a new
(trusted) certificate - as in this case - the app could still check the
certificate information (fingerprint, domain name, O, etc.).

~~~
bkaid
I assume The Daily is using NSURLConnection. Doesn't NSURLConnection by
default reject self signed certificates?

