Wednesday, January 30, 2008

Recording HTTPS with OpenSTA

OpenSTA is about its ability to record HTTPS traffic. The answer is already covered in the FAQ - but I'd like to go a bit more into details here.
The way OpenSTA records traffic and generates scripts is that it acts like a proxy. All requests that are recorded must pass through this proxy. Every request as well as every response are recorded, together with timing information and all HTTP headers.

HTTPS, being based on SSL, encrypts all traffic between the browser and the server, so that nobody in between is able to inspect the data flowing in both directions. This is bad for our proxy, that needs to do just that in order to generate a script. In order to record HTTPS nevertheless, there are two possibilities:

1. The proxy acts just like the server, with a fake certificate. When recording, the user is confronted with its browsers warning, that the certificate doesn't match the server it expects talking to. Then the user is allowed to manually accept the certificate and continues to talk to the proxy as if it was the original server. The proxy decrypts the data from the browser and encrypts it again in order to talk to the server. Same is done with the servers response - everything is en- and decrypted twice.

To cut a long story short: This is not how it is done in OpenSTA. The authors chose the second possibility:

2. The browser talks plain HTTP with the proxy. The proxy is signalled that originally the traffic was meant to be encrypted. Then the proxy encrypts the traffic with the server, decrypts the response and talks plain HTTP with the client again.

This is the way, OpenSTA deals with the problem. The hint, the proxy needs, is just a curly brace, directly after the http:// start of any URL. So, to record you need to record http://{ Note the curly brace is just opening and never closing. The curly brace was chosen, because usual domain names never contain this character.

The curly brace is the hint, that signals the proxy to talk HTTPS with the server.

To make things even more comfortable, the proxy filters all responses and replaces https:// links with http://{, so you usually need to type it only upon the first request. When you start recording with a http url, you probably never need to worry about the curly brace workaround.

Use Remote Recording method for Recording https:// links

No comments: