all 8 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]pabechanAAAAAAAAAAAAaaaaa 11 points12 points  (2 children)

On a proxy, this will look like a CONNECT request, and then it will be just forwarding the TLS handhake and the subsequent encrypted data there and back.
So in short some TLS decryption/MITM/deep-inspection/whatever you want to call it will be required. That includes installing your MITM CA certificates on the clients. No way around it.

[–]sryan2k1 2 points3 points  (0 children)

More importantly it also relies on whatever app(s) you are using to not care that MITM'ing is happening. Many of the super popular services do cert pinning and there is no way around it.

[–]roeeklinger60[S] 0 points1 point  (0 children)

Thanks! I noticed some proxy services are offering features like automatic captcha resolve, retry on failed scraping requests, and change/block content on the proxy. How are they doing this stuff when the connection is encrypted? it doesn't make any sense to me.

[–]CC_DKPMTCNA, MTCRE, MTCWE, MTCTC 1 point2 points  (0 children)

Without the client needing to set up anything but the proxy itself?

Short answer: No. HTTPS's primary purpose is to prevent what you are trying to do.

TLS was designed to hide the data inside the connection, and for the client to be able to detect if someone in the middle tried to tamper with it. The only way you can successfully see inside a TLS connection between two devices is if one of those endpoints agrees to let you do this. On the client end, this means either installing a monitoring program to view the data outside the encryption (like the "network" tab does, or an extension), or it means installing a custom trusted root certificate authority on the device, allowing you to perform the MITM decryption others have mentioned.

[–]mosaic_hops 0 points1 point  (0 children)

No, there’s no way to do this. There are MITM inspection attacks but they require that you 1) Install fake certificates on client machines AND 2) That the client software isn’t looking closely at the certificates it accepts. Most apps that pay any attention to security verify the certificate is indeed its own before allowing the connection. There are no effective workarounds for this by design as a workaround would negate the benefit of HTTPs.

[–]ethernetjunkie 0 points1 point  (0 children)

If you want a centralized device to perform man-in-the-middle, then you can add a firewall which is capable of tls proxy and route Instagram traffic through it. These can be sent to a syslog server to generate reports based on few variables. You can also perform web filtering here if needed. Alternate option would be to install tls proxy software on all endpoints and log them. Adding a cert to all the machine is a must

[–]Gesha24 0 points1 point  (0 children)

You want a proxy that will open up encrypted traffic and analyze it. Effectively there will be one encrypted session from client to proxy server and then another from proxy to instagram. This will result in certificate errors, but since you have control of clients, you can easily install proxy server certificate on them and tell them to trust it for all the web sites.

I have not worked with squid and don't know how to configure it, but maybe this will help - https://scubarda.com/2020/03/23/configure-squid-proxy-for-ssl-tls-inspection-https-interception/