I wonder, has anyone built some sort of proxy yet to be able to access modern-TLS-using sites with old unmaintained devices?
Like, the "let's build sites so they work on all browsers" is fun and all, and is largely either unproblematic or a positive thing, but sending everyone's traffic over the internet in plaintext or over broken SSL is... extremely not it
@joepie91 https://github.com/atauenis/webone among others. i think this is the one the Macstodon author recommends for being Online from antique Macs.
@joepie91
Additional problem with proxies and SSL/TLS is surfacing the status of remote certificate to the user.
IIRC one of very few well done solutions is Fudo Security's interceptor, which has two CAs, only one of which is trusted by clients, and it generates certificates for sites or proxies to with same dates as remote certificate, signed be either of the CAs, depending whether it itself recognises who signed remote certificate.
@joepie91 Not exactly what you're asking for, but there's this project: https://legacyupdate.net/
@joepie91 This is a perennial problem in the IT security industry where organisations need to monitor internet use for security and compliance reasons. Might be worth looking there for solutions, but it usually necessitates installing a certificate on the end device so that it trusts the proxy server.
@joepie91 Yes, it’s called Crypto Ancienne. The author tries to seamlessly integrate the updated TLS builds into the respective environments, but some are so constrained that they need a companion proxy device nearby. The release blog is definitely a fascinating read!
@joepie91 I get good results from:
1. wrp. Mac Plus era. https://github.com/tenox7/wrp
2. browservice. IE6 era. https://github.com/ttalvitie/browservice
3. webone. Anything that can read a .pac file. https://github.com/atauenis/webone
Only the last one is a true proxy in the HTTP sense. The other two add a layer of interface to every page in the older browser.
(The problem with SSL/TLS specifically is that if you even *allow* plaintext or broken-SSL connections, this immediately makes *everybody* vulnerable to downgrade attacks, even if they are using a device/browser/etc. that supports a modern and safe TLS stack)