TLS/SSL (The S in HTTPS) guarantees that there are no eavesdroppers between you and the server you are contacting, i.e. no proxies. Normally, you use CONNECT
to open up a TCP connection through the proxy. In this case, the proxy will not be able to cache, read, or modify any requests/responses, and therefore be rather useless.
If you want the proxy to be able to read information, you can take the following approach:
- Client starts HTTPS session
- Proxy transparently intercepts the connection and
returns an ad-hoc generated(possibly
weak) certificate Ka,
signed by a certificate authority
that is unconditionally trusted by
the client. - Proxy starts HTTPS session to target
- Proxy verifies integrity of SSL
certificate; displays error if the
cert is not valid. - Proxy streams content, decrypts it
and re-encrypts it with
Ka - Client displays stuff
An example is Squid’s SSL bump. Similarly, burp can be configured to do this. This has also been used in a less-benign context by an Egyptian ISP.
Note that modern websites and browsers can employ HPKP or built-in certificate pins which defeat this approach.