Micha <[EMAIL PROTECTED]> writes: > Yes, there was a thread on this list where jidanni points to a possible > solution for caching https (IIRR). Now i'm asking myself the same > question....but i can't find this message. And I remember there's an > archive somehwere, but i lost the link. Could somebody help me with this > archive URL or just repeating what this idea was about ?
The e-mail archive is http://www.mail-archive.com/wwwoffle-users%40gedanken.demon.co.uk/ > I've some thoughts about the problem. > > wwwoffle can't cache or modify pages received via https:// > since this traffic is tunneled (that is, encrypted) between the web > server and the browser-- is that right ? That is correct, the link is encrypted with a one-time encryption key that is sent to you with a certificate. The browser will complain about accepting data unless it comes with a certificate with the correct server's name that has been signed by a Certificate Authority (CA). When you install a browser you will install a number of certificates from these certificate authorities. There is a chain of trust when you visit an https server. You trust the browser, the browser trusts the certificate authority and the certificate authority trusts the server. The browser will then load the page without complaint. If the server has a certificate that is not signed by one of the certificate authorities that your browser trusts then the browser will complain. If you install Apache with SSL enabled then you can have your own https server. You will need a certificate for it and it is likely that you will create your own and sign it yourself. When you access the server your browser will complain, but it will let you do it. You can stop the browser from complaining by telling it to trust your certificate as a certificate authority. > But, from a browser, i can save https pages on disk (with content > directory). So there *is* a way for a user to get the unencrypted > content, besides through the eyes. Yes, there is nothing magical about the link. The chain of trust only goes one way, the browser is not trusted by the server (in certain cases you can have a personal certificate that is used by the server to make sure that you really are you). Any program can fetch https data from a server (e.g. 'curl' was one of the first command line https clients). > Is there at least theoretically a way for a proxy (or any user process) > to get the 'https' page contents from the browser, without modifying the > browser code ? It is all a question of trust. If you trust your proxy enough then the proxy can make an https connection to the server, decrypt the data, store it and re-encrypt it to send to you. The certificate the proxy uses to send the data to you would be signed by its own certificate and not the original certificate authority's certificate. This is the model that Dan (jidanni) was talking about in his original e-mail on the subject. -- Andrew. ---------------------------------------------------------------------- Andrew M. Bishop [EMAIL PROTECTED] http://www.gedanken.demon.co.uk/ WWWOFFLE users page: http://www.gedanken.demon.co.uk/wwwoffle/version-2.8/user.html
