We are looking for a solution that will allow us to use HTTPS without encryption. What for? Here is the story:
Our product (installed on clients) connects to our servers to receive updates, publish information, etc. We want the product to verify that it is connected to the server (and not to the impostor) before publishing the data. We must also ensure that there are no “man in the middle” attacks (that is, content must be signed, etc.). However, our customers require that they can sniff the traffic (Wireshark, tcpdump, etc.) and view the contents of the entire transaction. This is for compliance and safety reasons.
Our product is written in Java, by the way.
Any ideas?
UPDATE:
Please excuse me if I do not use the correct form for answering answers, I am pretty new to this site.
First of all, thanks for your quick answers!
Our reason for exploring the possibilities of HTTPS is that we do not want to come up with a new protocol here. This is not just a lot of work, but the fact that inventing your own security protocol (even if it is used only for signing) is usually considered bad practice. We are trying to get the benefits of HTTPS for server authentication (importantly, this server also serves executable code, which can be quite large - we don’t want anyone to serve malware or DoSing our clients with big data, which only after receiving all that the system will detect this poorly), and MITM provisioning does not occur (signing the messages themselves). We do not mind if someone evesdropes on traffic, because it never contains something that is considered confidential. Besides,it’s not necessary to read content easily in Wireshark, it’s only possible for auditors to do so.
@Nate Zaugg - , . , HTTPS .
@erickson - NULL- , . - , .
@ZZ Coder - , Wireshark?