←back to thread

Curl-impersonate: Special build of curl that can impersonate the major browsers

(github.com)
545 points mmh0000 | 3 comments | 03 Apr 25 15:24 UTC | HN request time: 0s | source
Show context
ec109685 ◴[03 Apr 25 16:59 UTC] No.43572497[source]
There are API’s that chrome provides that allows servers to validate whether the request came from an official chrome browser. That would detect that this curl isn’t really chrome.

It’d be nice if something could support curl’s arguments but drive an actual headless chrome browser.

replies(4): >>43572551 #>>43572562 #>>43572695 #>>43573014 #
do_not_redeem ◴[03 Apr 25 17:41 UTC] No.43573014[source]
Siblings are being more charitable about this, but I just don't think what you're suggesting is even possible.

An HTTP client sends a request. The server sends a response. The request and response are made of bytes. Any bytes Chrome can send, curl-impersonate could also send.

Chromium is open source. If there was some super secret handshake, anyone could copy that code to curl-impersonate. And if it's only in closed-source Chrome, someone will disassemble it and copy it over anyway.

replies(2): >>43573123 #>>43574874 #
dist-epoch ◴[03 Apr 25 20:20 UTC] No.43574874[source]
> someone will disassemble it and copy it over anyway.

Not if Chrome uses homomorphic encryption to sign a challange. It's doable today. But then you could run a real Chrome and forward the request to it.

replies(1): >>43575809 #
do_not_redeem ◴[03 Apr 25 21:41 UTC] No.43575809[source]
No, even homomorphic encryption wouldn't help.

It doesn't matter how complicated the operation is, if you have a copy of the Chrome binary, you can observe what CPU instructions it uses to sign the challenge, and replicate the operations yourself. Proxying to a real Chrome is the most blunt approach, but there's nothing stopping you from disassembling the binary and copying the code to run in your own process, independent of Chrome.

replies(1): >>43576174 #
dist-epoch ◴[03 Apr 25 22:21 UTC] No.43576174[source]
> you can observe what CPU instructions it uses to sign the challenge, and replicate the operations yourself.

No you can't, that's the whole thing with homomorphic encryption. Ask GPT to explain it to you why it's so.

You have no way of knowing the bounds of the code I will access from the inside the homomorphic code. Depending on the challenge I can query parts of the binary and hash that in the response. So you will need to replicate the whole binary.

Similar techniques are already used today by various copy-protection/anti-cheat game protectors. Most of them remain unbroken.

replies(2): >>43576408 #>>43577407 #
1. do_not_redeem ◴[04 Apr 25 01:26 UTC] No.43577407[source]
You're just describing ordinary challenge-response. That has nothing to do with homomorphic encryption and there are plenty of examples from before homomorphic encryption became viable, for example https://www.geoffchappell.com/notes/security/aim/index.htm

Homomorphic encryption hides data, not computation. If you've been trying to learn compsci from GPT, you might have fallen victim to hallucinations. I'd recommend starting from wikipedia instead. https://en.wikipedia.org/wiki/Homomorphic_encryption

And btw most games are cracked within a week of release. You have way too much faith in buzzwords and way too little faith in bored Eastern European teenagers.

replies(1): >>43579982 #
2. dist-epoch ◴[04 Apr 25 09:32 UTC] No.43579982[source]
> Homomorphic encryption hides data, not computation

Data is computation.

  x = challenge_byte ^ secret_key
  if x > 64:
    y = hash_memory_range()
  else:
    y = something_else()
  return sign(y, secret_key)
replies(1): >>43587735 #
3. do_not_redeem ◴[04 Apr 25 21:25 UTC] No.43587735[source]
That snippet has nothing to do with homomorphic encryption. It's just the same kind of challenge-response AIM and many others were already doing in the 90s.

You seem convinced that homomorphic encryption is some kind of magic that prevents someone from observing their own hardware, or from running Chrome under a debugger. That's just not true. And I suspect we don't share enough of a common vocabulary to have a productive discussion, so I'll end it here.