There very definitely are ways of looking at the content inside an HTTPS
stream.

There are two major approaches to doing this, at the end-points and in
the middle. The first approach is an active approach, the second
approach is more passive.

Observing at the end-points involves using a proxy application at either
end of the connection that decrypts the stream. Two examples:

Using Apache with mod_proxy, where the Apache server has the SSL
certificate, decrypts the traffic in the normal way, and relays the
decrypted information to another server. The decrypted information can
be observed, monitored, altered, etc as desired.

Using a client-side proxy, such as WebScarab, Odysseus, Spike, etc on
the client side, where the client reconfigures their proxy settings, and
the client side proxy provides a faked certificate. This results in
warning messages, but since the client is in control, they can choose to
accept the warnings.

Passively observing the stream involves providing the Server's SSL key
to an application such as SSLDump, which uses TCPDump to observe network
traffic, and the provided key to decrypt the traffic and recover the
plaintext, in parallel to the actual web server.

Hope this clears things up!

Rogan

John Reilly wrote:

>
>>I have a similar question too!
>>
>>Are they products they can look inside HTTPS traffic? Some
>>customers doesn't
>>trust HTTPS traffic going inside the company over the proxy!
>
>
> There is no way to look at the plain text content inside the https traffic -
> that would defeat the whole purpose of https.
>
> Regards,
> John
>
>

--
"Using encryption on the Internet is the equivalent of arranging an
armored car to deliver credit card information from someone living
in a cardboard box to someone living on a park bench."
- Gene Spafford

[ reply ]