[Privoxy-devel] HTTPS filtering in Privoxy

Wed May 17 12:09:12 UTC 2017

Hello, 

I have implemented SSL filtering support, webserver certificate 
validation (and sending info about invalid certificate), host 
certificate generating and basic configuration for Privoxy. Library mbed 
TLS has been used for SSL connections. The implementation doesn't 
support (mainly due to lack of time): 

- certificate revocation - Not necessary for use and not a critical 
security error. 
- outgoing requests filtering - In my opinion, this functionality 
would require many changes in the chat function or the header parsing 
functions. I have decided not to implement this functionality yet. 
- SSL connections caching - Not necessary for use. 
- subject alternate name - This parameter is required by new version 
of Google Chrome web browser. mbed TLS doesn't support writing this 
parameter into generated certificates. Should be available in next 
library versions. 

My implementation changes the following files: jcc.c, jcc.h, parsers.c, 
project.h and loadcfg.c. New files ssl.c and ssl.h have been added. 

I'd be happy if you are interested in this implementation and its 
potential publication in official Privoxy sources. Please tell me what I 
should do next (How and in what form can I send you my source codes). 
I will be happy to answer any questions. 

Thank you for your answer. 

"<vasek.svec at email.cz> wrote: 

> I'm student of third year at Czech technical university in Prague and 
> I'm choosing topic for my bachelor thesis. My teacher has offered to me 
> this topic: 
> Study the current state of proxy servers with respect to the HTTPS 
> protocol. Analyze the available implementations and specify approaches 
> to filtering HTTPS communication; focus at the security issues related 
> to these approaches. Implement a module for Privoxy (www.privoxy.org) 
> which will add the support for filtering of the HTTPS communication 
> between a browser and a server. 
> 
> I'd like to ask you about your opinion on this topic. I'm not really 
> great C programmer, but I'm not C beginner and I have some small 
> experiences with OpenSSL library. I find this topic very interesting, 
> but I'm little bit scared of the programming part. Could you please say 
> me, how difficult would be this implementation. And could I ask you for 
> advice when I encountered some problem during implementation? 

I'd expect the programming part to be time consuming but not too 
difficult. Documenting it in a way a non-technical user understands 
is likely to be challenging, but this could be out of scope for your 
thesis anyway. 

One non-technical issue with using OpenSSL is that Privoxy is 
licensed under the GPLv2 which is incompatible with the OpenSSL 
license. This causes problems for platforms that don't contain 
OpenSSL as part of the base system and thus aren't covered by 
the system library exception in the GPLv2. 

Most GNU/Linux distributions probably would not be able to enable 
the OpenSSL support for their Privoxy packages and Windows users 
would have to compile it themselves as well. 

This doesn't mean that OpenSSL can't be used for this, but it's 
something you should be aware of from the beginning. 

Feel free to ask any additional questions you have about this. 

Fabian 
"