3

A network I often use has started to decrypt HTTPS traffic (and reencrypt, using a different key) using a local proxy. This proxy is operated by people I mostly trust. However, I would like to know if there is a way to maintain encryption and MAC through said proxy, with something like Tor or a VPN. Bonus points for ease of use.

I would also like to ensure that there is not a second MITM, between the local proxy and internet server, if I am not using the above methods, for example, if they are blocked somehow. If there is another MITM present, I'd like some form of warning, similar to the one a browser gives when using an untrusted certificate.

timuzhti
  • 956
  • 12
  • 19
  • 3
    Please define "maintain data integrity and security" in your context. Do you consider it secure if the VPN can be used to transfer malware into a company because it bypasses the firewalls inspection? – Steffen Ullrich Oct 12 '15 at 05:45

1 Answers1

1

SSL in the context of web browsing allows you to create a secured (encrypted) tunnel between your browser and a SSL-enabled endpoint.

The SSL-enabled endpoint is typically the server you want to reach, but as you mention in your question, you may have a HTTPS decrypting proxy on the way. This proxy terminates your SSL connection (it is therefore in clear from that point, analyses it, and then creates an SSL tunnel with the target server.

What this mean is that during the time your connection is decrypted everything you send can be read.

This "everything" can be plaintext data (like a password for instance) or whatever you push though this connection (an encrypted file for instance). You could also build a "tunnel in tunnel" of sorts: an ssh connection which can act as a proxy forwarding a local port on your machine to a port on a target server. The HTTPS connection is decrypted by your HTTPS proxy, but the ssh one remains.

I do not know whether you are asking the question from the perspective of someone who has to go though such a proxy, or someone who puts such a proxy in place. If the latter - be very much aware of the potential legal consequences. Your local law may not allow that, or you may be held liable for anything which goes wrong during the decryption phase.

WoJ
  • 8,957
  • 2
  • 32
  • 51