Skip to content

acroca/fitm

Repository files navigation

FITM

FITM lets you share access to websites without sharing your real credentials.

FITM stands for 'friend in the middle', an analogy to man-in-the-middle but trusting that man.

It is essentially HTTP Proxy that takes ownership of cookies, storing and reinjecting them so they never reach the browser.

Why

Sharing credentials like username and password with other people is not great. People could be saving those credentials somewhere and access the service later on, unless you change the password after that person doesn't need access anymore. And this doesn't scale very well.

Tools like 1password are awesome to share credentials, but bad actors could be abusing this. Worst case, an ex-employee could have lots of critical credentials, and unless the passwords change, those credentials are still valid.

I wanted to create a way to share access to services in a controlled manner, without sharing the credentials. Something that could grant temporary access to others, without allowing them to access in the future and without the need of constant password rotations.

Features

  • HTTP proxy
  • HTTPS proxy (using self-signed CA Certificate)
  • Persists cookies in disk.

Quick start using Docker Compose

TODO

How does this work

The main component of FITM is the HTTP/HTTPS proxy, and that's done using mitmproxy. This is an awesome tool that creates a man-in-the-middle proxy (essentially the HTTP/HTTPS proxy itself) with a really good plugin system, which we use to implement the cookies logic.

The mitmproxy plugin takes ownership of cookies, storing them and re-injecting on the way back to the server, so the browser doesn't see them.

HTTPS support

FITM uses mitmproxy under the hood. In order for mitmproxy to tunnel HTTPS requests,the user has to install the CA Certificate generated by mitmproxy. When using the provided docker compose file, the generated certificate can be found here: $HOME/.config/fitm/dotmitmproxy/mitmproxy-ca-cert.pem

More info about how certificates work in mitmproxy here