I am looking at the following apps: mitmproxy 2.0.2 Charles 4.2.1 BurpSuite Fiddler James 1.5.0 Paros proxy 3.2.1 I will be installing one of these on one of my browsers to allow circumvention of ssl security certificates. I realize this is counter to security, but I already have so-called secure browsers (Whitehat Aviator, SRWare Iron, etc.), which are obsessed with blockading me from reaching about 30% of the sites I want to reach. What I want now is just one browser that will take me wherever I decide to go.
I only have experience with Fiddler and it's very powerful, but why don't you just ignore the cert warning (make browser remember it if you want) and go ahead? If your browser don't allow this, just use other browser who allow, such as Firefox. (And there have been question in security of Iron.) Also Adguard have MITM capability along with whitelist (disable MITM on registered URLs), it will be much easier and securer way. [EDIT] Ah, so you use XP? That should be the reason you get such a many warnings, as Chromium use OS' certificate store which on XP would not be updated any more. Just another reason to recommend Firefox ESR, because they use its own certificate store (so you won't get that many warnings) and, importantly, it still get security patches (tho only High+ severity) even on XP! Considering Firefox 52 already have partial sandbox, it's safer than outdated Chromium folks.
I had already been advised to install an old version of Firefox with the add-on 'Ignore Cert Error', which has allowed some relief from constant security certificate errors, but it is not enough. There are still sites that give various errors that Firefox will not ignore, nor offer the 5+ clicks to add exception, so I have decided on circumvention. Besides which, Firefox appears only good for Adobe Flash. Most of the Internet-TV freesites I use require H.264, and my SRWare Iron is the only browser I have gotten it to work on, so I need it to be my go-to browser, but on it the CA ******* have full control, and are blockading me from nearly half the sites that offer TV shows and movies. So can Fiddler be set up to circumvent these certificate errors in SRWare Iron automatically...as in a set-it and forget-it way?
IDK what version of Firefox you used, but ESR52 supports most of addons and IIRC have OpenH.264 plugin, besides you can set "browser.ssl_override_behavior" value to make it easier to add cert error exception. I haven't come across a site which doesn't allow the exception, but possibly it's because I don't watch internet TVs. Anyway, Fiddler is a web inspection tool which has MITM capability, so it's not for error circumvention and I haven't used it for that. I use it to inspect TLS connection of an app or replay exploit traffic, so can't comment on your use much, but maybe once you set all up properly, it can be forgotten. However, if you want set-it & forget-it tool, I recommend AdguardPro. it costs, but there's free trial period so you can test it first. I see you know but still I have to say, circumvent TLS error poses significant security risk, it's not theoretical one but there've been actual attacks, so using Fiddler or other for that purpose every day should never be recommended in any security forum. But Adguard takes it, they incorporated whitelist for banking or other important sites and also takes many measures so actual risk is low I believe. BTW, 30% of sites giving error is obviously abnormal. I guess that is due to XP (but then Firefox should be OK...), not sure if resetting catroot2 help... another possible solution will be install Mint or any other Linux distribution you like as dual boot OS.
So I did more Google research, and it appears the 'Skip Cert Error' add-on "works with Firefox 23.0-56.*" according to: https://addons.mozilla.org/en-US/firefox/addon/skip-cert-error/versions/ The * bothers me, so I probably will not try to go beyond Firefox 55.0. I'll download it and the add-on to CD, and archive it for later install if/when my present Firefox version becomes useless, but like I said, this is only a temp solution. I intend to have either SRWare Iron or Chromodo to be CA-free, and by any means necessary. Further research indicates that all Chrome/Chromium based browsers are using a 'certificate store' the CA control freaks have managed to embed within XP itself. Seems to be Java-based, although cannot find out if ditching Java will end the CA blockade, but I'll mark it down as a possible option. I am sure that installing a bogus uber-certificate that overrules all the CA ones will do the job, so I need to decide which SSL mitm proxy is easiest for a newbie to use, and is persistent (I turn off the PC and then cut its power at the end of the day). My experience at bleepingcomputer, raymond.cc, etc., has proven I can expect no questions answered nor assistance to be given in this venture, so I have launched into full-on research mode to solve the problem myself. I have whittled down the options to BurpSuite 1.7.32, mitmproxy 2.0.2, or Charles 4.2.1, and will now focus all effort on finding out everything about them to decide which to test-drive first. Once I have a 'pick of the litter', I'll have my tech guy set it all up, install the uber-certificate, and so on. As for the security risk, I have of course looked into it, and frankly, I would much rather deal with any resultant malware than allow these control freaks to blockade me from 30% of the internet. As for Adguard, constantly adding hundred(s) of urls to the whitelist every day is not acceptable. I prefer the Sauron Method, but instead of one ring to rule them all, its one certificate to rule them all. In other words, I have officially decided that the services of the CA critters will no longer be required, and since neither they nor Microsoft can be trusted to fix what is obviously broken, I intend to end it, and handle my own security needs (with maybe a little help from tech support).
* means wildcard, i.e. any subversion under 56 are OK, e.g. 56.0.2, 56.0.4, etc. Chromium uses OS cert store as I mentioned above, but I don't believe it has sth to do w/ Java (anyway you can test). Still not sure what causes such many warnings. IDK Adguard's whitelist is really such trouble, as it only whitelists banks and the like. TLS MITM do not always involve malware, it rather can be tapping and altering communication.
So if I understand rightly, the 'Skip Cert Error' add-on ceases to work on Firefox 57 onwards? Well I found several connections to Java: https://stackoverflow.com/questions...ntrusted-certificate-for-ssl-https-connection http://support.sas.com/kb/57/370.html https://docstore.mik.ua/orelly/java-ent/security/ch10_04.htm http://www.itninja.com/question/silent-import-java-certificate https://technet.microsoft.com/en-us/library/cc700805.aspx Maybe my interpretation is off, but it sounds like Java is connected to the cert store in XP. Tapping and altering communications would likely only be a problem for online banking and shopping, and I do not use this PC for that. Primary use is for surfing the net, doing Google research, & watching TV shows/movies.
Yes, probably doesn't work on 57+ as Mozzilla made significant change for addons (not limited to Skip Cert Error). After quick look of the links, I don't see direct evidence that XP cert store has close relation with Java. But Java uses certificates for Java application and applet, and it (JRE) also installs plugins for browser. If you care, try to disable all Java related plugins and see if the situation changes. On Chromium derivatives, it depends on the version i.e. for newer version type chrome://components in address bar and search for java related plugins. For older, it's chrome://plugins. I don't remember from what version they changed it. For Firefox, you can disable through usual addon panel which includes plugin tab. For IE, go internet option>program>manage addons>"all addons" & "run without permission" & "downloaded control". Ok, I understand your risk hedge. Very sorry that I can't help you much as I don't have enough experience of these tools, especially if you want to use them 24/7 to bypass warnings.
Thanks so much 142395, for teaching me a new trick! Never knew about typing 'chrome://components' in the address bar. So what came up was: Chrome Crash Service CRLSet pnacl recovery EV Certs whitelist ver.7 WidevineCdm No mention there whether any of the above are Java-based, and I have no idea how to disable them. A quick Google search indicates 'CRLSet' and 'EV Certs whitelist' are the only stuff connected to CA villains. From what you said, I assume eradicating Java entirely will probably not rid me of the CA blockade, so I will focus my effort all towards the SSL mitm proxy solution. I appreciate what help you did give, much more than at any other forums, where the usual response was 'how dare you want to circumvent our beloved CA heroes!', and related derision.
Then maybe it's good to start from Fiddler. If it doesn't work for you, switch to others. Just don't forget to uninstall Fiddler certificate in that case. There're many good how-to articles about Fiddler including installation of root cert. I rely on articles written in my mother tongue, but there're English ones too (or probably your language too if you're not native English speaker). When you download Fiddler, it may appear to require your email address, but actually not, just fill it with any random fake email address.
Actually after what you said in reply #4 ,and further research, I decided to eliminate Fiddler from my tryout list, which I have cut down to just three: BurpSuite Community Ed. OWASP Zed Attack Proxy Charles 4.2.1 Charles I will likely save as last resort, as its not free.
