Can I do a tls proxy without anyone being aware of it?

625    Asked by AryanTandon in SQL Server , Asked on Dec 27, 2021

 Is it possible to do TLS through proxy without anyone noticing?  How?  My curiosity aided me in doing a thorough internet research, after which I got to know that - A TLS proxy is used in secure connections to allow for additional networking services while protecting against denial-of-service attacks. TLS (Transport Layer Security) provides encryption and authenticity of communication over the Internet. It started out for secure online e-commerce transactions and has quickly become the defacto security protocol. TLS proxies are becoming more prominent than older SSL (Secure Socket Layer) proxies when it comes to handling incoming TLS connections.

Answered by Andrew Jenkins

Since version 1.1, HTTP supports a special method, CONNECT. This sets up the TLS tunnel through the proxy, even though your computer only directly connects to the TLS proxy. HTTPS knows how to tunnel the TLS handshake even through the proxy.


See Wikipedia:

The CONNECT method converts the request connection to a transparent TCP/IP tunnel, usually to facilitate SSL-encrypted communication (HTTPS) through an unencrypted HTTP proxy.

Even more details here: A variation of HTTP tunneling when behind an HTTP Proxy Server is to use the "CONNECT" HTTP method. In this mechanism, the client asks an HTTP Proxy server to forward the TCP connection to the desired destination. The server then proceeds to make the connection on behalf of the client. Once the connection has been established by the server, the Proxy server continues to proxy the TCP stream to and from the client. Note that only the initial connection request is HTTP - after that, the server simply proxies the established TCP connection. This mechanism is how a client behind an HTTP proxy can access websites using SSL (i.e. HTTPS).

But note this caveat: Not all HTTP Proxy Servers support this feature, and even those that do, may limit the behaviour (for example only allowing connections to the default HTTPS port 443, or blocking traffic which doesn't appear to be SSL).



Your Answer

Interviews

Parent Categories