Hacker News new | past | comments | ask | show | jobs | submit login
Mitmproxy - an SSL-capable man-in-the-middle proxy (mitmproxy.org)
99 points by bound008 on Feb 6, 2012 | hide | past | favorite | 15 comments

Not to be confused with mitm-proxy[1], which is java-based.

For diagnostics I'd prefer something like Paros[2], Burp[3] or WebScarab[4], which has a graphical interface, but this one seems to offer a quite nice scripting API which I'll have to take a closer look at.

[1] http://crypto.stanford.edu/ssl-mitm/

[2] http://www.parosproxy.org/

[3] http://www.portswigger.net/burp/proxy.html

[4] https://www.owasp.org/index.php/Category:OWASP_WebScarab_Pro...

I have used stanford's ssl-mitm, Paros and WebScarab. The one being shown here is better than all of them, actually.

The textual interface is actually a curses-based interface that lets you do stuff as you would normally do in paros, such as capture a request or edit a request and replay it. So it is not just like you're watching logs. You can take many kinds of actions from within that text interface, and very quiclky. The scripting API is also very good.

I would also recommend Charles. I use it daily. Inexpensive too. http://www.charlesproxy.com/

Burp is fantastic. The free version is great, the paid version (which is very cheap) is even better. All our developers use burp to catch traffic between their development simulators and the testbed for debugging.

Agreed, I've also used Burp to great effect. I'm glad this field is getting a lot of attention.

This looks very cool. I've been working on a similar project built on top of Node.Js and Connect (https://github.com/mdp/middlefiddle)

It lets you use Connect compatible middleware to alter the request or response - (https://github.com/mdp/middlefiddle/blob/master/.middlefiddl...)

There's a bunch of these proxies out there, and they all provide something different, but if you're just looking to inspect the HTTPS request, I'd also recommend the excellent Charles Web Proxy - http://www.charlesproxy.com/ - I bought a copy years ago, and it's been invaluable.

Fortinet has a similar feature for the Fortigates. You can have the SSL cert (ex: secure.yourcompany.com) be presented from an IP bound to the firewall and be able to read all communications between the client and server. I'm not sure if the same applies to a certificate you don't own (ex: mail.google.com) for the same purpose.

Squid can do that too; and if you give it your own CA cert, it can dynamically generate certs with the right domain to prevent browser errors.



This is a feature of many firewalls now, even at the small/medium business end of the market.

If you're a company that relies on virus scanning HTTP traffic then the increasing number of websites which force SSL looks like a potential problem.

Software like that will issue per-site SSL certs signed by a company-wide trusted authority.

this handles all the certificate work on its own and auto generates and stores certificates in ~/.mitmproxy or something similar so you can quickly email it to your iDevice. although it is a little eerie to see my bank password in "plain-text", its fun to look at how other app makers send and receive data.

For those interested, there was a talk about mitmproxy at linxu.conf.au 2012, a linux conference in Australia.


Another good one (free): http://www.tcpcatcher.org/

another great use is for diagnosing mobile applications (including ones you did not write) without needing to sniff wpa2 traffic. also, even as just a startup of 15 people, we use wpa2 enterprise to avoid such simple wireshark usage.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact