How can Charles enable SSL Proxying?

The whole process of HTTPS and SSL is the handshake, where client gets the public key from server side, generate the session key, encrypt it and and send it to the server. This way it can be sure that the session key is known only to it and the server.

However, when the connection between the client and server goes through a proxy, the proxy will try to appear to you as the server, and appear to server as you. It intercepts the connection you send to server, and so receives the public key from server.

 Charles does this by becoming a man-in-the-middle. Instead of your browser seeing the server’s certificate, Charles dynamically generates a certificate for the server and signs it with its own root certificate (the Charles CA Certificate). Charles receives the server’s certificate, while your browser receives Charles’s certificate.

Having this, it can decrypt the session key and so have access to the session key. But in order to do this, you will receive a warning that the connection is not safe.  Also, the existing session keys are not sent through anymore, so Charles has to close the current sessions so it can know the session key.

After adding a host name to the SSL Proxying list you may need to restart Charles for existing browser sessions to change.

So to verify the server’s identity, SSL/HTTPS X509 certificates have to check with a Trusted Certificate Authority. It relies on the word of these Authorities to trust that these certificates are true.

Beware:

Charles provides a certificate, don’t add it to trusted root, this is a really bad idea. Anyone can download that certificate and key and use it to sign certificates in the same way Charles does. If you added it to root, you have compromised your own root and so nothing is safe anymore, you are now vulnerable to other websites in Russia or something.

Work Security 

The SSL/TLS chain-of-trust relies on trusted root certificate authorities. In a workplace setting where the client is managed by the organization, trust might be granted to a root certificate whose private key is known to the proxy. Consequently, a root certificate generated by the proxy is installed into the browser CA list by IT staff.

CA – weak point in the trust chain

2013 mass surveillance disclosures made it more widely known that certificate authorities are a weak point from a security standpoint, allowing man-in-the-middle attacks.

In a separate disclosure unrelated to Snowden, the French Trésor public, which runs a certificate authority, was found to have issued fake certificates impersonatingGoogle in order to facilitate spying on French government employees via man-in-the-middle attacks.


How to use CharlesProxy

1. Map local for a JSON request: In addition to Map Local, we will need to modify Header for Response as well:

Advertisements