←back to thread

Httptap: View HTTP/HTTPS requests made by any Linux program

(github.com)
664 points alexflint | 2 comments | 03 Feb 25 16:28 UTC | HN request time: 0.403s | source
Show context
ranger_danger ◴[03 Feb 25 19:23 UTC] No.42921763[source]
Why not use eBPF instead? Then you could see all http requests from all processes at once, including ones that are already running. Plus you wouldn't need to bother with TLS at all, just hook on e.g. write(2).
replies(5): >>42921870 #>>42921954 #>>42923824 #>>42924500 #>>42927428 #
adtac ◴[03 Feb 25 21:58 UTC] No.42923824[source]
How would hooking on write(2) solve TLS? You'll be able to read and modify the ciphertext, but the process will never call write(2) with the plaintext bytes, so you can't actually read the HTTP request. You'll just see the encrypted bytes that go on the wire, but so does the NSA :)

You need the kind of CA certificate trick that httptap uses. It comes with its own set of caveats (e.g. certificate pinning), but it can be made to work reliably in most practical scenarios.

I've spent an unjustifiable amount of time thinking about this specific problem building Subtrace [1], so I'm genuinely very interested in a simpler / more elegant approach.

[1] https://github.com/subtrace/subtrace

replies(2): >>42929856 #>>42932717 #
1. jeroenhd ◴[04 Feb 25 08:49 UTC] No.42929856[source]
I believe that's how https://github.com/gojue/ecapture works. I don't know the details, but it seems to work!
replies(1): >>42933483 #
2. ddelnano ◴[04 Feb 25 15:24 UTC] No.42933483[source]
Yep, that's correct. It uses eBPF upprobes to attach to the SSL_write/SSL_read functions.