Test your connection for HTTPS interception (MITM)

(Matt Holt) #1

The Caddy website now demonstrates Caddy’s MITM detection feature:

If you find a false positive or false negative, please report it! Instructions are on that page, but to summarize:

  • I need the full ClientHello bytes (hex format)
  • I need the full User Agent string
  • For false positives, I need you to verify that absolutely no TLS proxying is happening
  • For false negatives, I need to know as much about the TLS proxy as you know (especially its version and any configuration information you have, including certificates issued, etc.)

I hope that site owners will appreciate this feature. I recommend using it in a few different ways:

  • Display a warning on login or form pages that information entered may not be private, despite the HTTPS connection
  • Inform users (gently) who visit a site—depending on the nature of the site—that content may be changed or manipulated by the time it gets to their browser, and that people may know the contents of the page they’re visiting
  • Log the occurrance to collect statistics
  • If proxying to a backend, set a header on the request with the value of {mitm} in it
2 Likes