Comment by alexflint
19 days ago
httptap is a process-scoped http tracer that you can run without root priveleges. You can run `httptap <command>` where <command> is a linux program and you get a trace of http/https requests and responses in standard output:
httptap -- python -c "import requests; requests.get('https://monasticacademy.org')"
---> GET https://monasticacademy.org/
<--- 308 https://monasticacademy.org/ (15 bytes)
---> GET https://www.monasticacademy.org/
<--- 200 https://www.monasticacademy.org/ (5796 bytes)
It works by running <command> in an isolated network namespace. It has its own TCP/IP stack (for which it uses gVisor). It is not an HTTP proxy and so does not rely on <command> being configured to use an HTTP proxy. It decrypts TLS traffic by generating a CA on the fly. It won't install any iptables rules or make other global system changes.
Do you know if it's possible to get this working on macos? I believe Tailscale uses gvisor's tcp/ip lib (as their netstack lib) on macos for certain things.
Does Darwin have network namespaces like the Linux kernel does? I get the impression that's an important component of this approach
Yes, good point, maybe that is the blocker.
2 replies →
can it modify requests or responses? with the current web getting increasingly user-hostile a need for tool like this was never more apparent
especially if it doesn't require proxy configuration
> especially if it doesn't require proxy configuration
It does require trusting a local CA, or apps away from the browser being configured not to validate CAs (or trust the new CA) if they don't push responsibility for that to the OS-level support.
I'm not sure it would be a good idea for the non-technical public: teaching them how to setup trust for a custom CA and that it is sometimes a good thing to do, would lead to a new exploit route/tool for phishers and other black-hats because many users are too naively trusting or too convenience focussed to be appropriately careful. How many times have we seen people install spyware because of claims that it will remove spyware? It could also be abused by malicious ISPs, or be forced on other ISPs by governments “thinking of the children”.
> How many times have we seen people install spyware because of claims that it will remove spyware?
That is the kind of example that completely disproves your point. How many times do we have to fall into 'just lock everything down for safety' pit and end up with being forced to look at even more ads as a result before we learn?
The only way to be safe is to be informed, 'just works' doesn't exist. Don't trust anyone but yourself.
1 reply →
Agreed! So there isn't any interface for modifying requests/responses at present, but it's definitely possible given the underlying approach. If you consider [this line of code](https://github.com/monasticacademy/httptap/blob/main/http.go...) where you have an HTTP request parsed from the <command> that ran and are about to send it out to the public internet: you could modify the request (or the response that is received a few lines further) in just the way that you would modify a normal http.Request in Go.
Injecting random data into telemetry requests to mess up someone’s pretty dashboard?
2 replies →
if the program doesn't pin certificates, you should be able to intercept them by telling your machine to trust a certificate authority of your own creation and performing a mitm attack on the process's traffic. if it does do certificate pinning, then it won't trust your home issued cert, and will refuse to send data through your proxy.
You might find mitmproxy useful.
Yep, mitmproxy is fantastic IMO.
1 reply →
Did everyone forget about wireshark, which can totally be ran as non-root?
https://blog.wireshark.org/2010/02/running-wireshark-as-you/
It certainly doesn't provide automated, process-scoped HTTPS interception.
It's still more setup than just installing this tool.
Also, can Wireshark/libpcap decrypt SSL/TLS traffic this easily?
Not in my experience; I think I gave up and opted for mitmproxy which works but is not this easy/seamless.
Wireshark is awesome but yeah as others mentioned it's the TLS decryption piece that is difficult in that workflow