Hacker News new | ask | show | jobs
by apple_innocent 1981 days ago
"Where is the encryption being added?"

It is being added by the proxy server listening on the loopback which connects to the remote website.

Browser connects to forward proxy on port 80, forward proxy (compiled with SSL library) connects to target IP on port 443.

This is how one can, e.g, use clients that are not SSL-enabled to access websites, etc. that require SSL.

For example, if forward proxy is listening on 127.0.0.1:80, we can make an encrypted connection to example.com using original *hobbit netcat which does not support SSL.

   echo -e 'GET / HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n" |nc -vvn 127.0.0.1 80
It is probably more popular to use stunnel for this purpose instead of a forward proxy.
1 comments
MrRadar 1981 days ago
OK, now I understand what you meant about "a forward proxy on the client side" (as that's exactly what I mean by "use a proxy to strip the encryption"). But I still don't understand why that allows you to not have to use HTTPS-only on the originating server to get the benefits of HTTPS-only?
link
apple_innocent 1981 days ago
Because I the user am running a forward proxy to encrypt all outgoing HTTP requests, I do not have to rely on "HTTPS-only" on the server side. I enforce "HTTP-everywhere" on the client side. That's the theory anyway.

To be honest there are still some sites that do not, and will probably never, offer HTTPS and I have to account for those with the proxy setup. For these websites I might assign them a different local IP that does not add encryption.

In running this setup there are some times where I find that for one reason or another "HTTPS-only" on the server side has failed to catch every instance where http:// should be https://. I use many different clients, the least of which is the modern browser which may have some whizbang features to try to enforce "HTTPS-everywhere". The clients I use more are simpler, less complex and do not have such features. Instead of relying on the modern browser, I rely on an extensive proxy configuration to make sure everything gets encrypted (when appropriate).

link