Using Man In the Middle Proxy (mitmproxy) on a Raspberry Pi

It's good to see that more and more programs use secure http (https) to encrypt data they send and receive over the network. Especially over public hotspots and due to the prying eyes of security agencies around the globe, there's no alternative to it. The downside is, however, that data is also concealed from debugging and personal analysis purposes. But there's a solution: mitmproxy!

Mitm stands for 'Man In The Middle' as the software can split an SSL connection into two parts and decrypt data in the middle. To do this, the device or program under test has to be configured for http proxying. On Android and other mobile operating systems this is part of the Wi-Fi setup. On PCs it's part of the web browser configuration. Once done, all http and https requests are sent to mitmproxy which then terminates the secure link and opens another secure connection towards the destination. As mitmproxy doesn't have a valid SSL certificate for the destination it has to create a certificate of its own on the fly and send that to the client device. As the mitmproxy can only sign the certificate with its private credentials, an error message pops up in the web browser every time a https protected site is visited and the user has to manually confirm to proceed. That's how it should be because security is broken when an SSL connection is not terminated at the destination.

To stop these error messages, mitmproxy offers an easy way for devices to import its certificate authority credentials. On Android and other platforms this is as simple as surfing to a given URL and pressing OK on the dialog that pops up that asks if the certificate is to be put into the certificate store. Almost too easy from a security point of view.

Remains the question on where to run mitmproxy. As the software is written in Python it can be easily installed on Linux PCs and also on Mac OS and then use the IP address of that device in the proxy configuration in the device or software under test. But as I'm always a bit reluctant to install software on my PC I don't need on a daily basis, I decided to install it on a Raspberry Pi instead. As the software is installed and compiled from source it takes about half an hour to install it on the processing power restricted Pi. However, it's well worth the wait.