Most active commenters
  • gear54rus(4)
  • alexflint(3)

←back to thread

Httptap: View HTTP/HTTPS requests made by any Linux program

(github.com)
664 points alexflint | 12 comments | 03 Feb 25 16:28 UTC | HN request time: 0.002s | source | bottom
Show context
alexflint ◴[03 Feb 25 16:28 UTC] No.42919910[source]
httptap is a process-scoped http tracer that you can run without root priveleges. You can run `httptap <command>` where <command> is a linux program and you get a trace of http/https requests and responses in standard output:

    httptap -- python -c "import requests; requests.get('https://monasticacademy.org')"
    ---> GET https://monasticacademy.org/
    <--- 308 https://monasticacademy.org/ (15 bytes)
    ---> GET https://www.monasticacademy.org/
    <--- 200 https://www.monasticacademy.org/ (5796 bytes)
It works by running <command> in an isolated network namespace. It has its own TCP/IP stack (for which it uses gVisor). It is not an HTTP proxy and so does not rely on <command> being configured to use an HTTP proxy. It decrypts TLS traffic by generating a CA on the fly. It won't install any iptables rules or make other global system changes.
replies(3): >>42920666 #>>42921671 #>>42922996 #
1. gear54rus ◴[03 Feb 25 17:35 UTC] No.42920666[source]
can it modify requests or responses? with the current web getting increasingly user-hostile a need for tool like this was never more apparent

especially if it doesn't require proxy configuration

replies(4): >>42921354 #>>42921863 #>>42922082 #>>42930927 #
2. alexflint ◴[03 Feb 25 18:43 UTC] No.42921354[source]
Agreed! So there isn't any interface for modifying requests/responses at present, but it's definitely possible given the underlying approach. If you consider [this line of code](https://github.com/monasticacademy/httptap/blob/main/http.go...) where you have an HTTP request parsed from the <command> that ran and are about to send it out to the public internet: you could modify the request (or the response that is received a few lines further) in just the way that you would modify a normal http.Request in Go.
replies(1): >>42923714 #
3. pcpuser ◴[03 Feb 25 19:32 UTC] No.42921863[source]
You might find mitmproxy useful.
replies(1): >>42923115 #
4. knome ◴[03 Feb 25 19:50 UTC] No.42922082[source]
if the program doesn't pin certificates, you should be able to intercept them by telling your machine to trust a certificate authority of your own creation and performing a mitm attack on the process's traffic. if it does do certificate pinning, then it won't trust your home issued cert, and will refuse to send data through your proxy.
5. alexflint ◴[03 Feb 25 21:05 UTC] No.42923115[source]
Yep, mitmproxy is fantastic IMO.
replies(1): >>42924295 #
6. _boffin_ ◴[03 Feb 25 21:50 UTC] No.42923714[source]
Injecting random data into telemetry requests to mess up someone’s pretty dashboard?
replies(1): >>42924271 #
7. gear54rus ◴[03 Feb 25 22:34 UTC] No.42924271{3}[source]
There's at least https://adnauseam.io/ for that already
replies(1): >>42942169 #
8. gear54rus ◴[03 Feb 25 22:36 UTC] No.42924295{3}[source]
Apparently there's JS interface for it too: https://www.npmjs.com/package/mitmproxy

But the problem with it is that you have to configure proxy in the app (they do got transparent and wireguard modes but there's still quite a bit of configuration).

9. dspillett ◴[04 Feb 25 11:11 UTC] No.42930927[source]
> especially if it doesn't require proxy configuration

It does require trusting a local CA, or apps away from the browser being configured not to validate CAs (or trust the new CA) if they don't push responsibility for that to the OS-level support.

I'm not sure it would be a good idea for the non-technical public: teaching them how to setup trust for a custom CA and that it is sometimes a good thing to do, would lead to a new exploit route/tool for phishers and other black-hats because many users are too naively trusting or too convenience focussed to be appropriately careful. How many times have we seen people install spyware because of claims that it will remove spyware? It could also be abused by malicious ISPs, or be forced on other ISPs by governments “thinking of the children”.

replies(1): >>42931030 #
10. gear54rus ◴[04 Feb 25 11:29 UTC] No.42931030[source]
> How many times have we seen people install spyware because of claims that it will remove spyware?

That is the kind of example that completely disproves your point. How many times do we have to fall into 'just lock everything down for safety' pit and end up with being forced to look at even more ads as a result before we learn?

The only way to be safe is to be informed, 'just works' doesn't exist. Don't trust anyone but yourself.

replies(1): >>42932566 #
11. dspillett ◴[04 Feb 25 14:14 UTC] No.42932566{3}[source]
> The only way to be safe is to be informed

Unfortunately getting everyone into an informed state is a massive and so far unattainable task, and those not well-informed are not just a potential danger to themselves but to the rest of the network, so we need fail-safe protections in place and to not encourage people to disable them for the sake of convenience.

> Don't trust anyone but yourself.

But do encourage people to trust a CA they have no knowledge how to verify? That CA could also sign things that happen in the background so trusting is potentially trusting a huge portion of the Internet with no further stopping points for the user to verify trust. Your point seems to be internally contradictory.

12. _boffin_ ◴[05 Feb 25 01:22 UTC] No.42942169{4}[source]
that's a browser addin, if i remember. I'm talking about all the telemetry for native apps. Since those aren't messed with too much, i'm sure there would be a few meetings arranged to figure out what's happening.