←back to thread

Httptap: View HTTP/HTTPS requests made by any Linux program

(github.com)
664 points alexflint | 3 comments | 03 Feb 25 16:28 UTC | HN request time: 0.001s | source
Show context
alexflint ◴[03 Feb 25 16:28 UTC] No.42919910[source]
httptap is a process-scoped http tracer that you can run without root priveleges. You can run `httptap <command>` where <command> is a linux program and you get a trace of http/https requests and responses in standard output:

    httptap -- python -c "import requests; requests.get('https://monasticacademy.org')"
    ---> GET https://monasticacademy.org/
    <--- 308 https://monasticacademy.org/ (15 bytes)
    ---> GET https://www.monasticacademy.org/
    <--- 200 https://www.monasticacademy.org/ (5796 bytes)
It works by running <command> in an isolated network namespace. It has its own TCP/IP stack (for which it uses gVisor). It is not an HTTP proxy and so does not rely on <command> being configured to use an HTTP proxy. It decrypts TLS traffic by generating a CA on the fly. It won't install any iptables rules or make other global system changes.
replies(3): >>42920666 #>>42921671 #>>42922996 #
gear54rus ◴[03 Feb 25 17:35 UTC] No.42920666[source]
can it modify requests or responses? with the current web getting increasingly user-hostile a need for tool like this was never more apparent

especially if it doesn't require proxy configuration

replies(4): >>42921354 #>>42921863 #>>42922082 #>>42930927 #
1. dspillett ◴[04 Feb 25 11:11 UTC] No.42930927[source]
> especially if it doesn't require proxy configuration

It does require trusting a local CA, or apps away from the browser being configured not to validate CAs (or trust the new CA) if they don't push responsibility for that to the OS-level support.

I'm not sure it would be a good idea for the non-technical public: teaching them how to setup trust for a custom CA and that it is sometimes a good thing to do, would lead to a new exploit route/tool for phishers and other black-hats because many users are too naively trusting or too convenience focussed to be appropriately careful. How many times have we seen people install spyware because of claims that it will remove spyware? It could also be abused by malicious ISPs, or be forced on other ISPs by governments “thinking of the children”.

replies(1): >>42931030 #
2. gear54rus ◴[04 Feb 25 11:29 UTC] No.42931030[source]
> How many times have we seen people install spyware because of claims that it will remove spyware?

That is the kind of example that completely disproves your point. How many times do we have to fall into 'just lock everything down for safety' pit and end up with being forced to look at even more ads as a result before we learn?

The only way to be safe is to be informed, 'just works' doesn't exist. Don't trust anyone but yourself.

replies(1): >>42932566 #
3. dspillett ◴[04 Feb 25 14:14 UTC] No.42932566[source]
> The only way to be safe is to be informed

Unfortunately getting everyone into an informed state is a massive and so far unattainable task, and those not well-informed are not just a potential danger to themselves but to the rest of the network, so we need fail-safe protections in place and to not encourage people to disable them for the sake of convenience.

> Don't trust anyone but yourself.

But do encourage people to trust a CA they have no knowledge how to verify? That CA could also sign things that happen in the background so trusting is potentially trusting a huge portion of the Internet with no further stopping points for the user to verify trust. Your point seems to be internally contradictory.