Documentation ¶
Index ¶
Constants ¶
const ( // cipher suites missing from the crypto/tls package, // in no particular order here TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xc024 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xc028 TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x3d TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x33 TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x39 TLS_RSA_WITH_RC4_128_MD5 = 0x4 // new PSK ciphers introduced by TLS 1.3, not (yet) in crypto/tls // https://tlswg.github.io/tls13-spec/#rfc.appendix.A.4) TLS_AES_128_GCM_SHA256 = 0x1301 TLS_AES_256_GCM_SHA384 = 0x1302 TLS_CHACHA20_POLY1305_SHA256 = 0x1303 TLS_AES_128_CCM_SHA256 = 0x1304 TLS_AES_128_CCM_8_SHA256 = 0x1305 )
Define variables used for TLS communication
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Handler ¶
type Handler struct {
// contains filtered or unexported fields
}
Handler is a http.Handler that will inject a value into the request context indicating if the TLS connection is likely being intercepted.
func NewHandler ¶
NewHandler returns a new Handler set up to detect tls MITM
func (*Handler) ServeHTTP ¶
func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request)
ServeHTTP checks the User-Agent. For the four main browsers (Chrome, Edge, Firefox, and Safari) indicated by the User-Agent, the properties of the TLS Client Hello will be compared. The context value "mitm" will be set to a value indicating if it is likely that the underlying TLS connection is being intercepted.
Note that due to Microsoft's decision to intentionally make IE/Edge user agents obscure (and look like other browsers), this may offer less accuracy for IE/Edge clients.
This MITM detection capability is based on research done by Durumeric, Halderman, et. al. in "The Security Impact of HTTPS Interception" (NDSS '17): https://jhalderm.com/pub/papers/interception-ndss17.pdf