Hey there MorphOS community, long time no see :)

There has been always an issue that bugged me a lot in the recent years with MorphOS.
I couldn't stream Youtube videos directly in MPlayer as it only supports HTTP connections. So what we had to do is to save the file first and play it while saving.

I have found a solution for this. It all started when i thought about finding a solution for the general SSL issues on our beloved classic amiga hardware. The internet slowly shifted towards HTTPS lately and because of that it is nearly impossible to surf the web at all with such underpowered CPUs and old SSL methods.

So i put some time into investigating and experimenting. Aaaand i came up with a hacky solution :)

Why not have another machine in between to do the SSL stuff? All we need is a Linux based system and do a Man In The Middle attack :D
Now that sounds crazy at first sight, but its absolutely safe as everything happens in our local network behind the firewall between two machines under our control.


To put it in simple terms we're gonna do convert a HTTPS connection into a HTTP connection.

Client ---HTTP---> Proxy ---HTTPS---> Website---HTTPS---> Proxy ---HTTP---> Client

The puplic connections are still SSL encrypted! So we are still safe from the outside.

We need the following software:

- Linux (f.e. Debian)
- iptables
- ettercap
- sslstrip

We also have to look up our device name of the network device. Use ifconfig. For my tutorial i will use "wlan0"
Check your Client and routers IP adress. We'll need them too of course.

I'll use these to explain

Client 192.168.0.20
Router 192.168.0.1


1. Redirect port from the client

At first, we have to tell our mitm-proxy to reroute incoming traffic at port 80 to the destination port 10000. Thats the port where SSLstrip is listening to by default.

Open a console and type:

Code:



2. Configure Man In The Middle

Now we will use the mitm method to trick our Client and reroute its traffic to the mitm proxy machine.
It will fetch the traffic, strip down the SSL stuff and forward it to the client as unsecured data.

Code:


3. run SSLStrip

All we need to do now is to start SSLstrip

Code:

Just try it out for yourself. Every HTTPS connection will now be downgraded to HTTP and you should be able to watch Youtube videos directly from MPlayer again!

[ Edited by Cego 07.01.2019 - 04:36 ]

WARNING: This is a massive security risk as the setup will allow ANY https certificate without any kind of checking. All your browsing is visible to anyone performing man-in-the-middle, too.

You have been warned.

is there a way to use certificates checking for proxy<-->website connection?

In my setup client to proxy has to be unsecured, but the rest has to be safe. Any idea is appreciated.

[ Edited by Cego 07.01.2019 - 09:55 ]

Quote:

I don't see a lot of harm there.

OK, the browsers check the server certificates against some certificate authority.
So this method should only be done to known sites.

For classic Amigas this is pretty nice.


Manfred

Quote:

Not certain, but couldn't the proxy check the server certs?


Manfred

Just forget the solution presented. Its pretty straight forward and we don't need iptables or ettercap.

Just activate ip forwarding in debian and start sslstrip. All we have to do is use proxy settings in OWB.
The benefit of this way is that we can configure specific URL settings in OWB and use the HTTPS downgrader on demand. So we can f.e. configure it in a way that only Youbtube will make use of it.


1. enable IP forwarding Code:

2. Start sslstrip Code:

3. change proxy settings in OWB. Just enter the IP of our debian machine and use port 10000

Thats it!

[ Edited by Cego 12.01.2019 - 10:35 ]

In the midterm, it probably makes more sense to update MorphOS mplayer with some proper https:// support ...

Quote:

Easier said than donut. So far only Odyssey has proper https support and that has come at a cost in exe size.

OpenSSL linklibs are mega complicated for porting. Best solution would be to have a shared library like amissl to avoid all of it, but nobody seems able to do so and keep it up to date.