I'm working on a project that involves proxying traffic between some client applications and servers. For this I'm using AnyProxy.
My project requires decrypting HTTPS.
I'm able to this with AnyProxy, by having it generate a rootCA and then trusting that rootCA on the client machine(s).
And it works, but I don't understand how/why it works from a theoretical point of view.
As far as I know, HTTPS encryption/decryption works like this:
- The server generates a public key and a private key.
- The server generates a certificate based on the keys.
- It registers said certificate with a CA (certificate authority). This is so client applications (such as web browsers) can verify the authenticity of the certificate from a trusted source.
- A client application makes an HTTPS request to the server.
- During handshake, the client verifies the authenticity of the certificate (and thus, of the server) and receives the server's public key.
- The client encrypts the request with the server's public key.
- The server decrypts the request with its private key.
With the proxy comes into the picture, it would need the server's private key to decrypt the client's request.
How does it get it?
Can someone please explain what I'm missing (or, if I got it all wrong)?
Best Answer
This is exactly why you need the root CA generated and installed on the client: it enables your proxy to issue fake certificates for every domain. The proxy doesn't decrypt an existing connection between the client, but establishes two separate connections: it's acting as a client towards the server and as a server for the client. Roughly like this: