Force web address to go through HTTPS

"I wonder if all third-party applications will actually take proxy settings into account. Or if changing system-wide proxy settings might interfere with other applications. (Like when the company's proxy is required for internet access, so cannot be changed just to redirect traffic for twitter.com.) Luckily, when the application does not use HTTPS, then it cannot find a man-in-the-middle. So: set up a man-in-the-middle for twitter.com on port 80, using DeleGate.

The following steps have been tested on Mac OS X 10.6 and Windows XP, using accounts with full administrative rights.

Download DeleGate. Don't let the 1990's homepage fool you: the program is still maintained.
Tell DeleGate to forward all local requests on port 80 (and 443) to the HTTPS server, based on the value of Host header in the HTTP request. Like for a Mac on Intel (where sudo is required to use privileged ports below 1024):

sudo ./macosxi-dg -v -P80,443 \
SERVER=https \
RELAY=vhost \
RESOLV=cache,dns \
STLS=-fcl,fsv \
ADMIN=a@b.c

For Windows, if unzipped to c:\:

cd c:\dg9_9_4\bin
dg9_9_4.exe -v -P80,443 SERVER=https RELAY=vhost RESOLV=cache,dns STLS=-fcl,fsv ADMIN=a@b.c

If you're required to use your company's proxy for internet access, then DeleGate will happily use that if you add something like PROXY=proxy.example.com:8080 to the command line.
In your /etc/hosts file (c:\windows\system32\drivers\etc\hosts on Windows XP; see Wikipedia for locations on other OS's), add the following line to direct all requests for twitter.com to your own computer. Note that the mapping from domain name to IP address does not take the protocol into account. So: this will not only be used for HTTP, but also for HTTPS (and everything else, such as commands like ping).

127.0.0.1 twitter.com

Ensure your browser is not set to use a proxy server, or add twitter.com as an exception. Just in case your browser has cached Twitter's IP address, you might want to restart it.
Now, http://twitter.com actually gets you (and all your applications) twitter.com.

The output shows that indeed the HTTPS site is requested from twitter.com:

REQUEST - GET / HTTP/1.1
REQUEST = twitter.com:443/ GET / HTTP/1.1
[..]
ConnectToServer connected [16] {168.143.161.20:443 <- 192.168.1.68:57067}
## SSLway -- TLSxSNI: sent ru=0 ty=0 nm=localhost
## SSLway ## 0.459622 connected/accepted
## SSLway server's cert. =
**subject /
C=US/
O=twitter.com/
OU=GT09721236/
OU=See www.rapidssl.com/resources/cps ©09/
OU=Domain Control Validated - RapidSSL®/
CN=twitter.com
**issuer /
C=US/
O=Equifax Secure Inc./
CN=Equifax Secure Global eBusiness CA-1

When using MOUNT=""/* twitter.com/*"" instead of RELAY=vhost then even http://localhost would give one twitter.com:

When explicitly requesting HTTPS using twitter.com, then the trusted certificate chain is broken: a HTTPS-aware applicate will discover the man-in-the-middle attack, and will fail if it cannot ask you for your permission to continue:

After testing, to run as a service on Windows, simply remove the -v parameter. This will install the program as a service. It will then run in the background, and ask you if you want to run it on startup:

Trying to start as a service [DeleGate Server -P80,443] ...
Set Automatic Start on System Startup ? [y] / n :

After running the above command without the -v parameter: see Control Panel » Administrative Tools » Services to manually start or stop DeleGate. Note that this service will refer to the location from which you initially started the dg9_9_4.exe program. So, you should not delete or move that program; be sure to unzip the download to, for example, c:\dg9_9_4 to avoid a reference to some Downloads directory that you might delete in the future.

To remove the service, just ensure to specify the same value for the -P parameter:

dg9_9_4.exe -P80,443 ADMIN=a@b.c
[..]
The service `DeleGate Server -P80,443' exists. Delete it ? [y] / n : y
OK. DELETEd the previous service.
Create a new service ? [y] / n : n

Finally, one may wonder how DeleGate knows the IP address of twitter.com (as we've mapped that to 127.0.0.1 in the hosts file). DeleGate actually retrieves that itself, because of RESOLV=cache,dns:

MOUNT[5]X[2] /* twitter.com/*
{R} SOA got [162.143.168.in-addr.arpa][ns1.dn.net]
[dnsadmin.enterprise.verio.net] 2008121001 10800 3600 604800 86400"

"The Fiddler Rule is pretty simple. Inside OnBeforeRequest, add:

if (oSession.fullUrl.StartsWith(""http://twitter.com/""))
{
oSession.oRequest.headers.UriScheme = ""https"";
}"

"Under Firefox, it seems that the add-on Force-TLS answers your problem.
Quote:

Here's how it works:


A site x.com served via HTTPS provides a header X-Force-TLS in its
response. The header contains a
max-age value (how long to remember
the forced TLS) and optionally an
includeSubDomains flag.
The browser recieves this header and adds it to a Force TLS database.
In the future, any requests to x.com are modified to be via HTTPS if
they are attempted through HTTP before
the request hits the network.
If any subdomains *.x.com are requested via HTTP and the
includeSubDomains flag was set, they
are also forced to be HTTPS."

"You could write a Greasemonkey script with Firefox. Here's one for FriendFeed.

Edit: Script for Twitter."

"I think there is not =/

Somebody can show up a way to do it, but seeing this as a software developer: many applications have http://twitter.com hard-coded, and since not only the address, but the protocol is different, I don't see a way to do it automagically, without changing the application. Some application may work with both, so you can configure it.

Note: web applications are more hacky than desktop ones.

EDIT: good, crb. A proxy server, depending on the way Twitter is being blocked, could help him."