SSL/TLS Basics
HTTPS is widely known as being the "secure" version of HTTP, but what does that actually mean? HTTPS is HTTP on top of the SSL, or TLS as it's now known, protocol which provides confidentiality and authentication; the connection to the server is encrypted to prevent intermediaries from inspecting or modifying the data that's transferred between it and the browser, and the server presents a certificate that "proves" to the browser its identity. This certificate is signed by a certificate authority (CA)'s root certificate, of which browsers have a list of CAs which they trust to identify sites. It's important to note that HTTPS does not make any judgements about the content itself - it only guarantees that the content was unmodified and came from the server which has that certificate. Pages served with HTTPS can and will contain things you want to block and modify with Proxomitron. They can even contain malware (and in that case HTTPS makes it harder for others inspecting the traffic to see its existence!) CAs like Let's Encrypt can give any site a certificate, only based on proof that one owns the domain name of the site.
Where does Proxomitron fit into all this? From the point of view of a browser communicating with a server, Proxomitron is an intermediary, so by default it won't be able to do anything with HTTPS sites - it'll act like it was completely bypassed and pass through the data unmodified. However, when HTTPS filtering is enabled, Proxomitron itself acts like both a web browser to the remote server, establishing a secure channel to it in the same way a browser would, but also "pretends" to be the server to a browser, filtering the content between these two sides. As mentioned above, this situation normally wouldn't be permitted by SSL/TLS, since Proxomitron wouldn't be able to show the same certificate that was signed by a CA trusted by the browser, and this is also how actual attackers attempting to inspect or modify the content would appear too. Fortunately, since CAs come and go, it's not impossible to change the list of root certificates in many browsers, which means we can have a browser trust Proxomitron's certificate, so it can filter HTTPS sites without causing errors or warnings.
Scott originally provided a separate batch file and instructions on how to generate a certificate, but new to Proxomitron Reborn is an easy-to-use certificate generator that makes this process much easier. See the Certificate Generator page for more information on how to use it. Once you've generated a certificate, which will be saved as a file in PEM format in Proxomitron's directory and named proxcert_certonly.pem, import it into your browser's list of trusted root certificates, and set your browser to use Proxomitron as its "secure" proxy.
