2 @documentencoding UTF-8
6 Copyright @copyright{} 2021 @email{stargrave@@stargrave.org, Sergey Matveev}
14 @item I am tired that various HTTPS clients (like browsers and feed
15 aggregators) use various TLS libraries with different features. NSS,
16 GnuTLS, OpenSSL... All of them sucks, comparing to Go's @code{crypto/tls}.
18 @item I tired that everyone provides very limited certificates trust
19 management capabilities, like either certificate or SPKI
20 @url{https://en.wikipedia.org/wiki/Certificate_pinning, pinning} with
21 @url{https://en.wikipedia.org/wiki/Trust_on_first_use, TOFU}. Even my
22 beloved @url{https://en.wikipedia.org/wiki/Xombrero, Xombrero} browser
23 still pins only the whole certificate, but its public key would be much
24 more sufficient and convenient to work with.
26 @item I am tired that many clients provides very few information about
27 certificates and connections at all.
29 @item I hate that hardly anyone can control (no automatic silent
30 transparent following) HTTP redirections. Although Firefox had proper
33 @item I am sick of tiny control on URLs. The best you can is to use some
34 kind of @url{https://en.wikipedia.org/wiki/Privoxy, Privoxy}, but it is
35 not friendly with TLS connections, obviously.
37 @item Hardly anyone does
38 @url{https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities, DANE}
41 @item And there is insanity of downloading fonts.
42 Why the hell people just do not send PostScript documents instead!?
44 @item And wonderful @url{http://jpegxl.info/, JPEG XL} image format is
45 not supported by most browsers. Even pretty old
46 @url{https://developers.google.com/speed/webp, WebP} is not supported
47 everywhere. @url{https://aomediacodec.github.io/av1-avif/, AVIF} would
52 That is why I wrote @command{tofuproxy} -- pure Go HTTP proxy, MitMing
53 all HTTPS connections on the fly. It is written for my personal needs
54 exclusively, so many features are just directly hard-coded, instead of
55 creating some kind of complex configuration framework.
59 @item Effective responses proxying, without storing them in the memory first.
61 @item TLS connection between client and @command{tofuproxy} has the
62 proper hostname set in ephemeral on-the-fly generated certificate.
64 @item @code{HEAD} method is forbidden, as Xombrero loves it too much and
65 it does not send User-Agent to differentiate it from others.
67 @item @code{www.reddit.com} is redirected to @code{old.reddit.com}.
69 @item @url{https://habr.com/ru/all/, Хабр}'s resolution reduced images
70 are redirected to their full size variants.
72 @item Various spying domains (advertisement, tracking counters) are denied.
74 @item Web fonts downloads are forbidden.
76 @item Permanent HTTP redirects are replaced with HTML page with the link.
78 @item Temporary HTTP redirects are replaced with HTML too, if it is
79 neither @url{https://newsboat.org/, Newsboat} nor image paths.
81 @item WebP images, if it is not Xombrero, is transcoded to PNG.
83 @item JPEG XL and AVIF images are transparently transcoded to PNG too.
85 @item Default Go's checks are applied to all certificates. If they pass,
86 then certificate chain is saved on the disk. Future connections are
87 compared against it, warning you about SPKI change and waiting for
88 your decision either to accept new chain (possibly once per
89 session), or reject it.
91 @item Even when native Go's checks are failed, you can still make a
92 decision to forcefully trust the domain.
94 @item Optionally DANE-EE check is also made for each domain you visit.
96 @item TLS session resumption and keep-alives are also supported.
98 @item And Go itself tries also to act as a
99 @url{https://http2.github.io/, HTTP/2} client too.
108 What I am planning possibly to do? Just brainstorming:
112 @item HTTP authorization dialog.
114 @item TLS client certificates usage capability.