On this atmosphere an intercepting HTTPS proxy is used for authentic functions and its CA root certificates is put in on all shoppers. Each HTTPS proxy answer I’ve seen to date merely indicators a brand new certificates immediately with the CA, not preserving any info on the unique certification path. After the proxy has made its determination, it is not possible to see what the unique certification path was, which might be useful for additional analysis in each success and failure.
It will be attainable for the proxy to recreate the entire path of pretend certificates as an alternative of the one faux certificates, as demonstrated on this matrix on row “proposal”. In fact, inspecting these certificates intimately can be somewhat ineffective, as they’ve faux keys, however this could protect info on their
CN, the dates they’re legitimate between and so on.
What is perhaps the primary cause we do not see this?
- It is assumed that customers will not look at the certificates anyway.
- The extra assets this could eat on the proxy.
…or can we? Any examples of such intercepting proxies?
Would there be a greater different, if we wish to protect this info for the consumer?