YAIP/docs/certificate-authority.md

# Certificate Authority

On startup, yaip will create a cetificate and key and store them in
~/.config/yaip/.

In order to intercept HTTPS traffic, yaip needs to become certificate authority.
It will pretend to be the client to the server, making HTTP requests in the same
way a browser would. It then pretends to be the server to the client. However,
this is precisely the kind of "attack" that the certificate system is designed
to prevent. Without further action, any modern browser will show warnings
because yaip isn't the server it is pretending to be.

In order to get around this, yaip becomes a certificate authority and verifies
all the responses that it makes. In order for this to work, it is necessary for
the authority to be trusted by your browser of choice. Search for "add
certificate authority in *your favourite browser*" in *your favourite search
engine*.

## How it works

If you set your browser to use yaip as a proxy, it will initially send a CONNECT
request to yaip, asking it to create a channel to the server it wants to connect
to. This looks something like this:

```
CONNECT example.com HTTP/1.1
```

For a normal (non intercepting) proxy, the proxy server would open a connection
to example.com and all traffic going through it would be invisible to the proxy
server. This is not very useful for us.

YAIP tells the client that it has established such a connection before it
communicates with the upstream server, by sending a `200 Connection Established`
response.

The client then begins the SSL/TLS negotiation. However, it negotiates with yaip
rather than the upstream server. Yaip takes the hostname from the connect
request so can generate a valid certificate.
Starts work on https as well as some moving about I now start the listener in the main.c file rather than proxy given that I didn't feel proxy was the right place if a normal (non-proxied) request came in. webserver.{c,h} and proxy.{c,h} had some changes relating to this. The config changed slightly - we now create a folder in ~/.config/ called yaip. This is where certificates and so on will be stored along with the user configuration I created a helper function to get files inside this directory (it changes based on xdg_config_home) and updated relevant tests. In ssl.{c,h} I have started work. If they don't exist, the tool now creates and stores a key and certificate for the CA that this tool will need to pretend to be. I still need to write tests for this. 3 years ago			`# Certificate Authority`

Starts on some documentation for certificates 3 years ago			`On startup, yaip will create a cetificate and key and store them in`
			`~/.config/yaip/.`
Starts work on https as well as some moving about I now start the listener in the main.c file rather than proxy given that I didn't feel proxy was the right place if a normal (non-proxied) request came in. webserver.{c,h} and proxy.{c,h} had some changes relating to this. The config changed slightly - we now create a folder in ~/.config/ called yaip. This is where certificates and so on will be stored along with the user configuration I created a helper function to get files inside this directory (it changes based on xdg_config_home) and updated relevant tests. In ssl.{c,h} I have started work. If they don't exist, the tool now creates and stores a key and certificate for the CA that this tool will need to pretend to be. I still need to write tests for this. 3 years ago
Starts on some documentation for certificates 3 years ago			`In order to intercept HTTPS traffic, yaip needs to become certificate authority.`
			`It will pretend to be the client to the server, making HTTP requests in the same`
			`way a browser would. It then pretends to be the server to the client. However,`
			`this is precisely the kind of "attack" that the certificate system is designed`
			`to prevent. Without further action, any modern browser will show warnings`
			`because yaip isn't the server it is pretending to be.`

			`In order to get around this, yaip becomes a certificate authority and verifies`
			`all the responses that it makes. In order for this to work, it is necessary for`
			`the authority to be trusted by your browser of choice. Search for "add`
			`certificate authority in your favourite browser" in *your favourite search`
			`engine*.`

			`## How it works`

			`If you set your browser to use yaip as a proxy, it will initially send a CONNECT`
			`request to yaip, asking it to create a channel to the server it wants to connect`
			`to. This looks something like this:`

			```
			`CONNECT example.com HTTP/1.1`
			```

			`For a normal (non intercepting) proxy, the proxy server would open a connection`
			`to example.com and all traffic going through it would be invisible to the proxy`
			`server. This is not very useful for us.`

			`YAIP tells the client that it has established such a connection before it`
			communicates with the upstream server, by sending a `200 Connection Established`
			`response.`

			`The client then begins the SSL/TLS negotiation. However, it negotiates with yaip`
			`rather than the upstream server. Yaip takes the hostname from the connect`
			`request so can generate a valid certificate.`