Httptap: View HTTP/HTTPS requests made by any Linux program

(github.com)

664 points alexflint | 3 comments | 03 Feb 25 16:28 UTC | HN request time: 0.413s | source

Show context

ranger_danger ◴[03 Feb 25 19:23 UTC] No.42921763[source]▶

>>42919909 (OP) #

Why not use eBPF instead? Then you could see all http requests from all processes at once, including ones that are already running. Plus you wouldn't need to bother with TLS at all, just hook on e.g. write(2).

replies(5): >>42921870 #>>42921954 #>>42923824 #>>42924500 #>>42927428 #

1. alexflint ◴[03 Feb 25 22:52 UTC] No.42924500[source]▶

>>42921763 #

Unfortunately TLS happens inside the the application, not in the kernel, so using eBPF to hook syscalls to write won't help with TLS decryption.

replies(2): >>42924670 #>>42928250 #

2. dgl ◴[03 Feb 25 23:09 UTC] No.42924670[source]▶

>>42924500 (TP) #

It is quite simple to use eBPF with uprobes to hook library calls, for example: https://github.com/iovisor/bcc/blob/master/tools/sslsniff.py

The downside is this doesn't work with anything not using OpenSSL, there are projects like https://github.com/gojue/ecapture which have interceptors for many common libraries, but the downside is that needs different code for each library.

I think providing a TLS certificate is fine for the use cases of the tool; most tools won't be doing certificate pinning, but ecapture does support Android where this is more likely.

3. ranger_danger ◴[04 Feb 25 05:07 UTC] No.42928250[source]▶

>>42924500 (TP) #

But read and write syscalls are used by the application to do I/O on the sockets before/after the encryption, which can be intercepted. Or you can attach uprobes directly to the TLS library's own functions.

↑