Re: Shimming HTTP to HTTPS.
Hi.
On Sun, Jul 28, 2019 at 09:17:21AM -0700, peter@easthope.ca wrote:
> The In-reply-to and References above should be right except that there
> is no magnifying glass link. This is email. Not HTML.
It may sound boring, but there's no "In-reply-to". There's "In-Reply-To".
Yes, case matters. "References" header seems good though.
> > Shorewall is a frontend to netfilter kernel subsystem.
> > It can do all kinds of things as long as they do not exceed L4 (as in
> > OSI L4, transport layer). What you want to do is to apply a
> > transformation to L7 (application layer), and that's something that
> > netfilter cannot do.
>
> There are two kinds of browser here.
> (1) Firefox and dillo which handle HTTP and HTTPS properly.
You may be surprised. Contrary to what they tell at Mozilla, NSS is not
the best TLS implementation. There's some hope for dillo depending on if
it uses openssl or gnutls.
> (2) The Oberon browser which currently handles only HTTP.
>
> So this is the problem which interests me.
> When firefox or dillo requests any URL, process it as usual.
Ok. Sounds simple.
> When the Oberon browser requests a HTTP URL, process it as usual.
Ok, any conventional HTTP forward proxy should do here.
> When the Oberon browser requests a HTTPS URL, divert it and apply TLS.
Have you meant "Oberon sends HTTP request that should be transformed to
HTTPS"? That's where that hypothetical proxy comes in.
If yes, you forgot at least two other interesting cases:
Oberon browser sends HTTP request, but gets HTTPS redirect (301/302) in
result.
Oberon browser sends HTTP request, proxy transforms it into HTTPS, gets
HTTPS reply, transforms it back into HTTP reply ... only to send Oberon
browser a huge pile of HTTPS links to pictures, css, js and whatnot.
Putting some thought into this, you need [1].
It may sound strange, but why bother reimplementing half of a browser
inside of a proxy, if you can make a browser serve a proxy role?
Reco
[1] https://github.com/tenox7/wrp
Reply to: