mitmproxy: release v0.13


This is a slightly late announcement of the release of mitmproxy v0.13, which was pushed out the door earlier this week by my esteemed compatriots while I was tied up with other things. We have a number of big new features this time round. First, mitmproxy now has upstream certificate validation, thanks to the hard work of Kyle Morton. Mitmproxy is increasingly being used in user-oriented roles where upstream cert validation is crucial, so this is a welcome improvement. We also have a new transparent proxy mode, which uses the HTTP Host headers to detect the upstream server to connect to, rather than the OS NAT tables. This isn't accurate 100% of the time, but it's so convenient that having it in the base makes sense. Thanks to Ijiro123. Other improvements include include marking of flows in mitmproxy console (thanks to Jake Drahos) and and an addition to the filter language allowing better matching of source and destination addresses (thanks to Israel Halle)

This release also features something a bit more unusual: a removed feature. We added the ability to forward server certificates through to the client verbatim to allow mitmproxy to exploit the infamous #gotofail bug on IOS and OSX. We were one of the first (and perhaps THE first) publicly available mechanisms to exploit this issue, and pen testers, app reversers and curious folks everywhere rejoiced. Unfortunately, cert forwarding has become a support burden - for fiddly technical reasons, it adds a lot of complication to the way mitmproxy is distributed and installed. Since #gotofail is no longer so current, we've decided to remove support from mitmproxy. If you still have some vulnerable devices out there you need to muck with, the official answer at the moment is to install v0.12.