16

I am aware that MITMproxy only captures HTTP/HTTPS protocols where SSLsplit is a transparent proxy and therefore can capture also other non-HTTP protocol communications. However MITMproxy can operate as well in as a transparent proxy. Hence I would think that MITMproxy and SSLspit are exactly the same?! I tried to google it but I couldn't find a clear answer.

TildalWave
  • 10,801
  • 11
  • 45
  • 84
Irene Ant
  • 659
  • 7
  • 19
  • what does "transparent proxy" mean to you, and why does that mode mean that a proxy could work on all protocols? – schroeder Feb 04 '16 at 22:37

1 Answers1

16

[Disclaimer: I'm one of the mitmproxy authors. My opinions may be biased. :)]

sslsplit

sslsplit is a transparent proxy that can intercept TLS connections using a man-in-the-middle attack. sslsplit supports plain TCP, TLS and also HTTP to the extent that it removes HPKP, HSTS and Alternate Protocol response headers. Intercepted connections can be dumped into logfiles. sslsplit is written in C and thereby pretty performant.

mitmproxy

mitmproxy is a tool that has much more features and is thereby much more complex. In contrast to sslsplit, mitmproxy has an interactive user interface and allows you to pause, inspect, edit, replay, or drop flows. While it can be used as a transparent proxy, mitmproxy can also run as a HTTP, SOCKS, reverse or upstream proxy. Additionaly, there is a simple Python scripting interface. As you already mentioned, mitmproxy speaks HTTP primarily, nonetheless it also supports logging arbitrary TCP connections (although that's not a first-class feature at the moment).


To sum it up,

  • both mitmproxy and sslsplit perform the same kind of man-in-the-middle attack on TLS
  • mitmproxy is more powerful and has more features
  • sslsplit has a more dedicated purpose, is simpler, and faster.
  • both are (IMHO) excellent tools
Maximilian Hils
  • 336
  • 2
  • 4
  • 6
    I am the author of sslsplit and I agree with Maximilians opinion :) – Daniel Roethlisberger Mar 25 '16 at 23:50
  • And what is the exact difference between sslplit and sslsniff? cc @DanielRoethlisberger – baptx Dec 17 '17 at 16:45
  • 3
    @baptx the two fulfill similar roles, but in a nutshell: sslsplit runs on more platforms and with more different NAT engines, supports IPv6, plain TCP/SSL (non-HTTP). Also, sslsplit supports STARTTLS generically and uses the SNI extension sent by the client to ensure the forged certificate matches the client's expectations. Finally, sslsplit is more suitable to running in a production environment (i.e. crashes less often, better daemonization features). Sslsniff on the other hand has some attack modes specific to certain browser/client vulnerabilities that were omitted in sslsplit. – Daniel Roethlisberger Jan 02 '18 at 22:15