11

What i want to know is whether it is possible to connect to a proxy with an ssl (or otherwise encrypted) connection? (I'm suspecting this is possible because TOR encrypts user connections to it's network.) If such a thing exists, what is it called, and is it easy to implement (say with firefox and foxyproxy)?

All i could find were questions about whether it's possible to relay (or tunnel) an ssl connection through a proxy, but i'm not looking to do that. What i want to do is have an ssl connection to a proxy (so the traffic between me and my proxy cannot be eavesdropped upon by any intermediaries). I don't neccesarily want the connection that the proxy makes to the destination url be encrypted via ssl (only when the destination url supports it).

By the way, in my case I am using foxyproxy and firefox, but the question is more about the general principle. And i am aware of TOR, but i'm not looking for that level of anonymity and TOR is too slow for my day to day surfing needs (i am thinking of only routing really sensitive traffic through tor, and day-to-day privacy-sensitive traffic through the proxy).

3 Answers3

10

Support seems to vary depending on the browser. You should find the "Encrypted browser-Squid connection" section of the Squid documentation relevant. (Note that this is different from its SslBump feature.) More specifically, these links should be of interest:

Alternatively, if the browser you're using doesn't support it, you could use something like stunnel to establish the connection to the proxy itself.

Bruno
  • 10,875
  • 1
  • 39
  • 61
  • Thanks, I'm having a bit of trouble finding out how to properly implement this though. It seems that chromium would be the way to go, but would then limit my use of a proxy to a single ssl proxy for all my connections (which isn't really optimal). Is there no easier way of doing this with say firefox and foxyproxy? –  Apr 11 '12 at 12:59
  • It's quite unusual to have more than one proxy at a time. What's the issue with that? – Bruno Apr 11 '12 at 13:05
  • Well i don't neccesarily want to use multiple proxies, but i don't want to send all my traffic through the proxy (just a part of it). So i want to use my regular connection for most of my traffic, and divert some through the proxy. –  Apr 11 '12 at 13:28
  • The PAC method (supported in Chromium) should allow you to exclude certain addresses. The `stunnel` method would also follow the exclusion rules you would have with a normal proxy: this would work with any browser too. – Bruno Apr 11 '12 at 13:35
  • Hmm.. So it works, but it's still pretty fiddly (stunnel doesn't really seem to be easy to set up). I'm surprised that there isn't an easier solution for this.. –  Apr 11 '12 at 14:21
  • @Samuel there is an easy solution. Use two browsers. Chromium for your encrypted proxy connection and FF for your normal traffic. I don't think there could be a more easier solution than this! – void_in Apr 26 '13 at 13:57
  • God I wonder how did you find these 2 links? What keywords did you use in Google? That helps me a lot. – Rick Jul 11 '19 at 16:14
2

SSL certificates (The S in HTTPS) guarantees that there are no eavesdroppers between you and the server you are contacting, i.e. no proxies. Nevertheless, you could use the following hack:

  • Client starts HTTPS session
  • Proxy intercepts the call and returns an ad-hoc generated(possibly weak) certificate Ka, signed by a certificate authority that is unconditionally trusted by the client.
  • Proxy starts HTTPS session to target
  • Proxy verifies integrity of SSL certificate; displays error if the cert is not valid.
  • Proxy streams content, decrypts it and re-encrypts with it
  • Client displays stuff

I think I heard of a solution implementing this. Unfortunately, I can't remember its name.

AviD
  • 72,708
  • 22
  • 137
  • 218
Nill Smith
  • 21
  • 2
  • 1
    That's something like Squid's SslBump you're talking about (which I mentioned). As far as I understand, that's precisely what the question is *not* about. – Bruno Apr 13 '12 at 20:33
  • As @Bruno said, this is explicitly NOT what the question is about. Also, it is very wrong. If you are going to spam links to vendors of SSL certificates, I would think you should know how they work. Also you should really disclose your connection with the vendor, **if** the link is relevant. In cases like this, it really is not. So, don't do that. [FAQ]. – AviD Apr 26 '13 at 12:05
0

Generally speaking, I would say Yes. BURP is an http(s) intercepting proxy. You have to install a certificate locally but BURP will intercept then decrypt/encrypt the traffic for you. Depending on the context of what you are trying to achieve, this may or may not suit your needs.