mitm.watch

TLS 1.3 in your web browser

This project is an experiment to run TLS 1.3 in a webbrowser with the intention to check what kind of middleboxes ruin the game.

Prototype

The tris library provides TLS 1.3 support (if this is not used, the application will be limited to TLS 1.2).

To support running Go in the web browser, the excellent gopherjs is used.

The existing Fetch and XHR APIs only allow for some control over HTTP messages. In order to experiment and gain insight over the TLS communication, control of the TCP payload is required. This is (un)fortunately not possible in the context of a webpage. Websockets cannot be used either since it starts with a HTTP conversation and then follows with a custom framing. Therefore the first prototype uses Adobe Flash to enable use of raw TCP sockets via its Socket API.

Building

To build the Flash socket API file, Haxe must be installed. To enable TLS 1.3 client and server support, tls-tris master should work:

export GOROOT=$(~/repos/tls-tris/_dev/go.sh env GOROOT)
export GOPATH=$PWD/go
PATH="${GOROOT/GOROOT/go}/bin:$GOPATH/bin:$PATH"
go get github.com/gopherjs/gopherjs

The test target service requires a dummy certificate. If you have no valid certificate for the reporter service, you can create it now as well with the -create-reporter=true option. To do this:

cd reporter
go run generate_cert.go config.go models.go

During development, run these two commands separately to build the frontend and to start the backend that provides tests:

make -C server watch DEV=1
make -C reporter watch

ALternatively, you can build once:

make -C server DEV=1        # make frontend
make -C reporter            # make backend with TLS 1.3 support
cd reporter && ./reporter

To allow socket connections according to the the config file:

cd server
make caddy
sudo ./caddy -type flashsocketpolicy -conf Caddyfile.flashsocketpolicy

(Alternatively, set the FlashListenAddress option which makes the reporter daemon responsible for granting Flash socket access.)

To test, visit https://localhost:4433/ and open the Console tab in the Developer Tools (tested with Chrome). Grant permission to use Flash and watch the logs.

Configuration

The client configuration is located in config_dev.go (when built with DEV=1) or config_prod.go. It contains the addresses for the reporter API.

The reporter API provides test cases and assists in execution of tests. Its default configuration is in reporter/config.go but it can be overridden using a configuration file. Missing keys will remain unchanged. Example:

cd reporter
./reporter -writeconfig config_dev.json     # write default config and exit
./reporter -config config_dev.json          # run with config

Example where the configuration file is updated based on default values:

echo '{"ListenAddress": ":443", "FlashListenAddress": ":587"}' > config_prod.json
./reporter -config config_prod.json -writeconfig config_prod.json

Note that the -config option is also valid for the generate_cert.go program.

Bugs

Known limitations and issues:

• Requires click-to-play (user interaction).
• Flash is being killed, consider alternative methods. Non-options: Chrome socket API is limited to apps (which will be removed in early 2018), FirefoxOS is also gone and the W3C TCP and UDP socket spec is also abandoned.
• Certificate validation is missing.
• There are a lot of TODOs.
• Split socket API from main.go into a separate go package (jssock).