TLS/SSL (The S in HTTPS) guarantees that there are no eavesdroppers between you and the server you are contacting, i.e. no proxies. Normally, you use CONNECT
to open up a TCP connection through the proxy. In this case, the proxy will not be able to cache, read, or modify any requests/responses, and therefore be rather useless.
If you want the proxy to be able to read information, you can take the following approach:
- Client starts HTTPS session
- Proxy transparently intercepts the connection and returns an ad-hoc generated(possibly weak) certificate Ka, signed by a certificate authority that is unconditionally trusted by the client.
- Proxy starts HTTPS session to target
- Proxy verifies integrity of SSL certificate; displays error if the cert is not valid.
- Proxy streams content, decrypts it and re-encrypts it with Ka
- Client displays stuff
An example is Squid’s SSL bump. Similarly, burp can be configured to do this. This has also been used in a less-benign context by an Egyptian ISP.
Note that modern websites and browsers can employ HPKP or built-in certificate pins which defeat this approach.