Most active commenters
  • ranger_danger(4)

←back to thread

Httptap: View HTTP/HTTPS requests made by any Linux program

(github.com)
664 points alexflint | 21 comments | 03 Feb 25 16:28 UTC | HN request time: 1.402s | source | bottom
1. ranger_danger ◴[03 Feb 25 19:23 UTC] No.42921763[source]
Why not use eBPF instead? Then you could see all http requests from all processes at once, including ones that are already running. Plus you wouldn't need to bother with TLS at all, just hook on e.g. write(2).
replies(5): >>42921870 #>>42921954 #>>42923824 #>>42924500 #>>42927428 #
2. TacticalCoder ◴[03 Feb 25 19:33 UTC] No.42921870[source]
Wouldn't this require root? A big "selling point" of httptap seems to be that precisely it doesn't require root.

Anyway the more options we have, the better.

3. somanyphotons ◴[03 Feb 25 19:39 UTC] No.42921954[source]
Presumably eBPF requires root privs?
replies(2): >>42922030 #>>42922926 #
4. trallnag ◴[03 Feb 25 19:46 UTC] No.42922030[source]
I'm having a hard time coming up with a use case where I want to use a tool like that but I'm also lacking root privileges
replies(1): >>42922087 #
5. freedomben ◴[03 Feb 25 19:51 UTC] No.42922087{3}[source]
Inside most production environments. I could use this today inside a Pod that isn't allowed root privs.
replies(2): >>42922183 #>>42924734 #
6. zamubafoo ◴[03 Feb 25 20:00 UTC] No.42922183{4}[source]
In production environments that won't give you root access, you won't be exec'ing inside of a pod if you aren't an operator or sysadmin.
replies(2): >>42923186 #>>42924603 #
7. ◴[03 Feb 25 20:51 UTC] No.42922926[source]
8. imcritic ◴[03 Feb 25 21:10 UTC] No.42923186{5}[source]
No, you are wrong. I would. The pod would be mine though.
9. adtac ◴[03 Feb 25 21:58 UTC] No.42923824[source]
How would hooking on write(2) solve TLS? You'll be able to read and modify the ciphertext, but the process will never call write(2) with the plaintext bytes, so you can't actually read the HTTP request. You'll just see the encrypted bytes that go on the wire, but so does the NSA :)

You need the kind of CA certificate trick that httptap uses. It comes with its own set of caveats (e.g. certificate pinning), but it can be made to work reliably in most practical scenarios.

I've spent an unjustifiable amount of time thinking about this specific problem building Subtrace [1], so I'm genuinely very interested in a simpler / more elegant approach.

[1] https://github.com/subtrace/subtrace

replies(2): >>42929856 #>>42932717 #
10. alexflint ◴[03 Feb 25 22:52 UTC] No.42924500[source]
Unfortunately TLS happens inside the the application, not in the kernel, so using eBPF to hook syscalls to write won't help with TLS decryption.
replies(2): >>42924670 #>>42928250 #
11. freedomben ◴[03 Feb 25 23:02 UTC] No.42924603{5}[source]
In my particular case, I am an operator and sys admin, but I don't give myself root privileges without having to go through some serious hoops, which I only jump through if I really truly need it. If I want root, I have to actually change the kubernetes manifest yaml to allow elevation to root privileges. That's not something that can be done without getting others involved for code reviews and what not.

However, even in the case of general developers, it isn't true. Companies do restrict exec abilities, but we don't. Many startups are the same, because developers are expected to also troubleshoot and debug production issues. If you don't allow shells in pods, you are really binding the hands of your devs.

To be clear, I am not disagreeing with you. You are correct in many cases. But there are a number of exceptions in my experience.

12. dgl ◴[03 Feb 25 23:09 UTC] No.42924670[source]
It is quite simple to use eBPF with uprobes to hook library calls, for example: https://github.com/iovisor/bcc/blob/master/tools/sslsniff.py

The downside is this doesn't work with anything not using OpenSSL, there are projects like https://github.com/gojue/ecapture which have interceptors for many common libraries, but the downside is that needs different code for each library.

I think providing a TLS certificate is fine for the use cases of the tool; most tools won't be doing certificate pinning, but ecapture does support Android where this is more likely.

13. dgl ◴[03 Feb 25 23:14 UTC] No.42924734{4}[source]
This won't work in most cases inside a Kubernetes pod, as the default seccomp policies don't allow creating namespaces within them. You can obviously relax the seccomp policies, but at that point you can also just give yourself the capabilities.

There are eBPF tools which will work, for example https://inspektor-gadget.io/docs/latest/gadgets/trace_ssl

14. ARob109 ◴[04 Feb 25 03:23 UTC] No.42927428[source]
Using uprobes to hook the SSL library, would it be possible to filter content by inspecting and modifying eg the decrypted HTTP response ?
replies(1): >>42928234 #
15. ranger_danger ◴[04 Feb 25 05:04 UTC] No.42928234[source]
absolutely
replies(1): >>42929118 #
16. ranger_danger ◴[04 Feb 25 05:07 UTC] No.42928250[source]
But read and write syscalls are used by the application to do I/O on the sockets before/after the encryption, which can be intercepted. Or you can attach uprobes directly to the TLS library's own functions.
17. farnulfo ◴[04 Feb 25 07:13 UTC] No.42929118{3}[source]
eBPF TLS tracing: The Past, Present and Future https://blog.px.dev/ebpf-tls-tracing-past-present-future/
replies(1): >>42933364 #
18. jeroenhd ◴[04 Feb 25 08:49 UTC] No.42929856[source]
I believe that's how https://github.com/gojue/ecapture works. I don't know the details, but it seems to work!
replies(1): >>42933483 #
19. ranger_danger ◴[04 Feb 25 14:26 UTC] No.42932717[source]
My understanding is that typically a TLS library provides a socket interface for the application to write() to, which can be intercepted by an eBPF program.
20. ddelnano ◴[04 Feb 25 15:16 UTC] No.42933364{4}[source]
Author here :). Happy to answer any questions on this TLS tracing stuff.
21. ddelnano ◴[04 Feb 25 15:24 UTC] No.42933483{3}[source]
Yep, that's correct. It uses eBPF upprobes to attach to the SSL_write/SSL_read functions.