Selectively performing man in the middle decryption
First Claim
1. A method for replacing code from an electronic communication performed by data processing apparatus, the method comprising:
- receiving, from a client device within a network, a Hypertext Transfer Protocol (HTTP) request containing a first address of a first resource on a server outside the network, wherein the network hosts both the client device and a man-in-the-middle gateway, wherein the first address contains a first domain;
redirecting the HTTP request to the man-in-the-middle-gateway configured to only handle a certain class of traffic upon determining that the traffic in the request is of the certain class, wherein the class of traffic consists of;
incoming encrypted traffic, outgoing encrypted traffic;
establishing a first encrypted connection between the client device and the man-in-the-middle-gateway, and a second encrypted connection between the man-in-the-middle-gateway and the server;
retrieving, by the man-in-the-middle-gateway, the first resource from the server;
storing the first resource in a memory accessible by the man-in-the-middle gateway;
modifying the first resource by changing HTTP links that point to locations that are (i) outside the network, and (ii) in the first domain to point to locations in a second domain of the man-in-the-middle-gateway, wherein modifying the first resource comprises extracting HTTP links in the first resource and replacing the extracted HTTP links with different HTTP links corresponding to the location of the man-in-the-middle gateway, wherein the network is configured to redirect messages within the network, from the client device to the man-in-the-middle-gateway, when messages from the client device are addressed to the second domain; and
serving, by the man-in-the-middle-gateway to the client device, the modified first resource by transmitting the modified first resource on a network medium of the network.
7 Assignments
0 Petitions
Accused Products
Abstract
A HTTP request addressed to a first resource on a second device outside the network is received from a first device within the network. The HTTP request is redirected to a third device within the network. A first encrypted connection is established between the first device and the third device, and a second encrypted connection between the third device and the second device. The third device retrieves the first resource from the second device. The first resource is modified to change pointers within the first resource to point to location in a domain associated with the third device within the network. The third device serves, to the first device, the second resource.
93 Citations
28 Claims
-
1. A method for replacing code from an electronic communication performed by data processing apparatus, the method comprising:
-
receiving, from a client device within a network, a Hypertext Transfer Protocol (HTTP) request containing a first address of a first resource on a server outside the network, wherein the network hosts both the client device and a man-in-the-middle gateway, wherein the first address contains a first domain; redirecting the HTTP request to the man-in-the-middle-gateway configured to only handle a certain class of traffic upon determining that the traffic in the request is of the certain class, wherein the class of traffic consists of;
incoming encrypted traffic, outgoing encrypted traffic;establishing a first encrypted connection between the client device and the man-in-the-middle-gateway, and a second encrypted connection between the man-in-the-middle-gateway and the server; retrieving, by the man-in-the-middle-gateway, the first resource from the server; storing the first resource in a memory accessible by the man-in-the-middle gateway; modifying the first resource by changing HTTP links that point to locations that are (i) outside the network, and (ii) in the first domain to point to locations in a second domain of the man-in-the-middle-gateway, wherein modifying the first resource comprises extracting HTTP links in the first resource and replacing the extracted HTTP links with different HTTP links corresponding to the location of the man-in-the-middle gateway, wherein the network is configured to redirect messages within the network, from the client device to the man-in-the-middle-gateway, when messages from the client device are addressed to the second domain; and serving, by the man-in-the-middle-gateway to the client device, the modified first resource by transmitting the modified first resource on a network medium of the network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A non-transitory computer storage media encoded with computer program instructions that, when executed by one or more processors, cause a computer device to perform operations comprising:
-
receiving, from a client device within a network, a Hypertext Transfer Protocol (HTTP) request containing a first address of a first resource on a server outside the network, wherein the network hosts both the client device and a man-in-the-middle gateway, wherein the first address contains a first domain; redirecting the HTTP request to the man-in-the-middle-gateway configured to only handle a certain class of traffic upon determining that the traffic in the request is of the certain class, wherein the class of traffic consists of;
incoming encrypted traffic or outgoing encrypted traffic;establishing a first encrypted connection between the client device and the man-in-the-middle-gateway, and a second encrypted connection between the man-in-the-middle-gateway and the server; retrieving, by the man-in-the-middle-gateway, the first resource from the server; storing the first resource in a memory accessible by the man-in-the-middle gateway; modifying the first resource by changing HTTP links that point to locations that are (i) outside the network, and (ii) in the first domain to point to locations in a second domain of the man-in-the-middle-gateway, wherein modifying the first resource comprises extracting HTTP links in the first resource and replacing the extracted HTTP links with different HTTP links corresponding to the location of the man-in-the-middle gateway, wherein the network is configured to redirect messages within the network, from the client device to the man-in-the-middle-gateway, when messages from the client device are addressed to the second domain; and serving, by the man-in-the-middle-gateway to the client device, the modified first resource by transmitting the modified first resource on a network medium of the network. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A system comprising:
-
one or more processors configured to execute computer program instructions; and memory encoded with computer program instructions that, when executed by one or more processors, cause a computer device to perform operations comprising; receiving, from a client device within a network, a Hypertext Transfer Protocol (HTTP) request containing a first address of a first resource on a server outside the network, wherein the network hosts both the client device and a man-in-the-middle gateway, wherein the first address contains a first domain; redirecting the HTTP request to the man-in-the-middle-gateway configured to only handle a certain class of traffic upon determining that the traffic in the request is of the certain class, wherein the class of traffic consists of;
incoming encrypted traffic or outgoing encrypted traffic;establishing a first encrypted connection between the client device and the man-in-the-middle-gateway, and a second encrypted connection between the man-in-the-middle-gateway and the server; retrieving, by the man-in-the-middle-gateway, the first resource from the server; storing the first resource in a memory accessible by the man-in-the-middle gateway; modifying the first resource by changing HTTP links that point to locations that are (i) outside the network, and (ii) in the first domain to point to locations in a second domain of the man-in-the-middle-gateway, wherein modifying the first resource comprises extracting HTTP links in the first resource and replacing the extracted HTTP links with different HTTP links corresponding to the location of the man-in-the-middle gateway, wherein the network is configured to redirect messages within the network, from the client device to the man-in-the-middle-gateway, when messages from the client device are addressed to the second domain; and serving, by the man-in-the-middle-gateway to the client device, the modified first resource by transmitting the modified first resource on a network medium of the network. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
-
Specification