mirror of
https://github.com/ProxymanApp/Proxyman.git
synced 2026-04-26 08:35:53 +03:00
[GH-ISSUE #325] [Feature] Please remove requirement for OS level trust #320
Labels
No labels
Discussion
Feature request
In Progress...
Plugins
Waiting response
Windows
Windows
bug
duplicate
enhancement
feature
good first issue
iOS
macOS 10.11
question
wontfix
✅ Done
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/Proxyman#320
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @brandonkal on GitHub (Nov 14, 2019).
Original GitHub issue: https://github.com/ProxymanApp/Proxyman/issues/325
Originally assigned to: @NghiaTranUIT on GitHub.
Proxyman version? (Ex. Proxyman 1.4.3)
1.9.2
macOS Version? (Ex. mac 10.14)
10.13.6
Steps to reproduce
Expected behavior
I simply do not trust root certificate authorities from third parties that are not installed by Apple or Mozilla. Firefox for Mac uses its own certificate store, so unlike Safari or Chrome, it can have the Proxyman CA installed while the rest of the system does not. I would like to install the Proxyman CA into Firefox Developer Edition. I do not use that browser as my daily driver outside of development, so the security risk of installing an additional CA is reduced.
Note that this is only a UI limitation as far as I am aware. The app can continue to recommend installing the CA with the system, but this workflow would enable using a dedicated browser for HTTPS-intercepted mitm.
@NghiaTranUIT commented on GitHub (Nov 15, 2019):
Hey @brandonkal Thank for raising it. I understand your concern about installing the Proxyman CA as a Root Certificate.
Here is the workaround, so you can continue your work safely until I fix it in next release:
proxy.man/ssland install + Trust the Proxyman certificate => It will install to Firefox Certificate StoreHowever, the UI will block when enabling new domains as you mentions.
Overall, I suggest to offer the option to install the Certificate to Firefox and it's definitely safer than to the System Keychain.
@brandonkal commented on GitHub (Nov 15, 2019):
That is an interesting workaround. It would be good to mention that FF uses its own CA store as some users may be unaware.
I'd like Proxyman to just assume the application will trust a Proxyman impersonation certificate. It should always generate and serve those requests when a domain or app is configured. A user could for instance run curl with ssl verification disabled without having to enable trust across the whole system.
It would also be worth mentioning in the dialog that only "SSL" and "X.509" need to be trusted. This reduces the attack surface a bit as Proxyman CA has no reason to to present code signing certificates etc.
Thank you
@NghiaTranUIT commented on GitHub (Nov 15, 2019):
Thank for the mention about the SSL and X.509 option. I will fix it too 👍
At the early version, I assume that the application will trust the Proxyman and doesn't block the UI. However, the problem was that the majority of users are not aware how to do it manually, so I offer an automatic option and intuitive way to enable SSL for many naive users. Therefore, they're happy with it.
I will consider to make sure the app is good for the rest of users and also offer the opt-out for the expert users too.
@kfigiela commented on GitHub (Mar 20, 2020):
Any news on this? I also have concerns about adding system-wide CA. We're testing android app and we have no reason to install & trust CA on the machine Proxyman is running on.
@NghiaTranUIT commented on GitHub (Mar 20, 2020):
Sorry for the delay, but we haven't looked on it since there are certain high priority tickets during this time since the certificate changes might impact many logic in the app so it could take time to review and remove it.
I would suggest you to remove the Proxyman CA after you finish your work as a workaround.
You can do it quickly by Delete the Cert in Preference or Certificate menu -> Reset Cert.
@NghiaTranUIT commented on GitHub (Mar 20, 2020):
Meanwhile, I'm looking on it since the workload is reasonable since we refactored the certificate part in the last release.
@NghiaTranUIT commented on GitHub (Mar 20, 2020):
Hey @kfigiela and @brandonkal, I fixed and removed the Trust Requirement on remote devices (iOS and Android) and Firefox too.
Here is the beta build: https://www.dropbox.com/s/i9282v9h8bwrnei/Proxyman_1.19.0_No_Trust_On_Remote_device_Firefox.dmg?dl=0
I suggest to un-trust the Proxyman CA in Keychain or just Reset the Certificate, then installing on Manual Mode (No need to Trust). It should work 👍
@brandonkal commented on GitHub (Mar 20, 2020):
That is great news!
Is it limited to those applications?
I would suggest a simple check box "Don't prompt for CA install" is all that is required.
It can be on by default for the majority of users and then if checked it would assume that the application trusts the Proxyman CA and doesn't block the UI.
@NghiaTranUIT commented on GitHub (Mar 20, 2020):
That's a really good point 👍 I will add this checkbox in the Certificate Windows, so it would fit with all kind of users.
@NghiaTranUIT commented on GitHub (Mar 22, 2020):
It's done. I put more time to redesign the Mac Setup Guide Window and support this option to the Preference for advanced users 👍
Thank you guys 🙌 ❤️
@NghiaTranUIT commented on GitHub (Mar 22, 2020):
I will release in the next release phrase 🌮
@NghiaTranUIT commented on GitHub (Mar 28, 2020):
Hey @brandonkal and @kfigiela, let update to the new version Proxyman 1.20.0, which I just have released 👍 https://github.com/ProxymanApp/Proxyman/releases/tag/1.20.0
Thank you guys for raising this critical issue. From now, you can opt-out in Preference and work out of the box with remote devices and Firefox 🌮
@igokoro commented on GitHub (Jan 5, 2023):
I'm trying to use Proxyman in place of Charles Proxy for android development. Installing the proxyman root certificate on the host machine is a non-starter for me - as it would be in any company that cares about security. Compromising proxyman root cert would immediately render most of the security on the machine useless. Not even speaking that most users in enterprise environments won't even have rights to install root certificate. Proxyman really has no chance of winning enterprises from Charles Proxy if the root cert requirement remains...
In my case, I unchecked "Require Trusted Proxyman Certificate in Keychain Access", but accessing http://proxy.man/ssl refuses to provide cert to the mobile device. Is there a way to workaround this?
@NghiaTranUIT commented on GitHub (Jan 6, 2023):
Hey @igokoro
You can get the certificate at
~/.proxyman/proxyman-ca.pemand manually sent it to your device.Not sure why, but I'm still able to access
http://proxy.man/sslfrom my Web Browser even though the Certificate is not trusted in the Keychain. Can you re-launch the app and try again?@igokoro commented on GitHub (Jan 9, 2023):
~/.proxyman/directory was empty in my case. I had to manually generate a new cert in settings (but did not install it in the keychain). At this point, I was able to push the ca cert to my device to install it. But enabling HTTPS proxying for my domain still does not work:@NghiaTranUIT commented on GitHub (Jan 10, 2023):
Let me investigate and get back to you @igokoro
@NghiaTranUIT commented on GitHub (Jan 10, 2023):
I assume you're using the latest build 3.15.0 @igokoro
I've tested and it works fine. Here is my step:
@igokoro can you try again?
@brandonkal commented on GitHub (May 15, 2024):
Closing this because it has been implemented. Thank you!