Add SSL Stripping as an alternative to SSL MITM

[leonard84]

Although Betamax supports SSL MITM there are certain drawbacks:

• You need to install the Betamax RootCa in your cacerts on all Machines that run your tests
• SSL Tests can't run offline since even if there are recordings available, the MITM Proxy still tries to connect to the real server for the SSL Certificate

SSL Stripping would solve those issues, the system under test would talk plain HTTP to Betamax, which in turn will talk to the real server via SSL, but modify the responses to be plain HTTP again. This way we can run the Tests offline -after recording of course- since we don't need to talk to the real server to get the SSL Certificate. Furthermore we don't have to install the Betamax RootCa anymore, since we don't need to generate fake SSL Certificates.

IMHO this should be an alternative mode to the current SSL MITM in Betamax.

Resources:

• https://avicoder.me/2016/02/22/SSLstrip-for-newbies/
• https://github.com/moxie0/sslstrip POC implementation in python
  • https://github.com/moxie0/sslstrip/blob/master/sslstrip/ServerConnection.py here happens most of the magic
  • since it is quite old, it does not strip the new HSTS- and HPKP-Header, but this should be an easy addition
• https://www.youtube.com/watch?v=MFol6IMbZ7Y talk by Moxie Marlinspike about SSL Stripping