package module
Version: v0.0.0-...-16e7256 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Jun 5, 2017 License: Apache-2.0 Imports: 8 Imported by: 0



Build Status GoDoc

TLS MITM Detection based on the work done in caddy, extracted as an easily importable and seperately testable go library for usage in independent go programs.

This capability is based on research done by Durumeric, Halderman, et. al. in "The Security Impact of HTTPS Interception" (NDSS '17) -

Full credit to caddy and all contributors for the implementation here, I've just tidied it up for use in other projects and given it a clean public API free of caddy/ imports and external dependencies.


Pass your net.Listener and *tls.Config to mitm, then check to see if your connections are MITM-ed with mitm.Check(r).

package main

import (


func main() {
	l, err := net.Listen("localhost", "8080")
	if err != nil {

	h := mitm.NewHandler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if mitm.Check(r) {
			panic("oh no, you've been MITM-ed")
		w.Write([]byte("all good!"))
	}), l, nil, false)

	log.Fatal(http.Serve(l, h))


go get -u


Apache, see LICENSE




View Source
const (

	// cipher suites missing from the crypto/tls package,
	// in no particular order here
	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   = 0xc028
	TLS_RSA_WITH_AES_256_CBC_SHA256         = 0x3d
	TLS_DHE_RSA_WITH_AES_128_CBC_SHA        = 0x33
	TLS_DHE_RSA_WITH_AES_256_CBC_SHA        = 0x39
	TLS_RSA_WITH_RC4_128_MD5                = 0x4

	// new PSK ciphers introduced by TLS 1.3, not (yet) in crypto/tls
	TLS_AES_128_GCM_SHA256       = 0x1301
	TLS_AES_256_GCM_SHA384       = 0x1302
	TLS_CHACHA20_POLY1305_SHA256 = 0x1303
	TLS_AES_128_CCM_SHA256       = 0x1304
	TLS_AES_128_CCM_8_SHA256     = 0x1305

Define variables used for TLS communication


This section is empty.


func Check

func Check(r *http.Request) bool

Check returns true if the connection has been marked as MITM-ed


type Handler

type Handler struct {
	// contains filtered or unexported fields

Handler is a http.Handler that will inject a value into the request context indicating if the TLS connection is likely being intercepted.

func NewHandler

func NewHandler(h http.Handler, ln net.Listener, c *tls.Config, closeOnMITM bool) *Handler

NewHandler returns a new Handler set up to detect tls MITM

func (*Handler) ServeHTTP

func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request)

ServeHTTP checks the User-Agent. For the four main browsers (Chrome, Edge, Firefox, and Safari) indicated by the User-Agent, the properties of the TLS Client Hello will be compared. The context value "mitm" will be set to a value indicating if it is likely that the underlying TLS connection is being intercepted.

Note that due to Microsoft's decision to intentionally make IE/Edge user agents obscure (and look like other browsers), this may offer less accuracy for IE/Edge clients.

This MITM detection capability is based on research done by Durumeric, Halderman, et. al. in "The Security Impact of HTTPS Interception" (NDSS '17):

Source Files


Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
t or T : Toggle theme light dark auto
y or Y : Canonical URL