Comment by gear54rus
19 days ago
can it modify requests or responses? with the current web getting increasingly user-hostile a need for tool like this was never more apparent
especially if it doesn't require proxy configuration
19 days ago
can it modify requests or responses? with the current web getting increasingly user-hostile a need for tool like this was never more apparent
especially if it doesn't require proxy configuration
> especially if it doesn't require proxy configuration
It does require trusting a local CA, or apps away from the browser being configured not to validate CAs (or trust the new CA) if they don't push responsibility for that to the OS-level support.
I'm not sure it would be a good idea for the non-technical public: teaching them how to setup trust for a custom CA and that it is sometimes a good thing to do, would lead to a new exploit route/tool for phishers and other black-hats because many users are too naively trusting or too convenience focussed to be appropriately careful. How many times have we seen people install spyware because of claims that it will remove spyware? It could also be abused by malicious ISPs, or be forced on other ISPs by governments “thinking of the children”.
> How many times have we seen people install spyware because of claims that it will remove spyware?
That is the kind of example that completely disproves your point. How many times do we have to fall into 'just lock everything down for safety' pit and end up with being forced to look at even more ads as a result before we learn?
The only way to be safe is to be informed, 'just works' doesn't exist. Don't trust anyone but yourself.
> The only way to be safe is to be informed
Unfortunately getting everyone into an informed state is a massive and so far unattainable task, and those not well-informed are not just a potential danger to themselves but to the rest of the network, so we need fail-safe protections in place and to not encourage people to disable them for the sake of convenience.
> Don't trust anyone but yourself.
But do encourage people to trust a CA they have no knowledge how to verify? That CA could also sign things that happen in the background so trusting is potentially trusting a huge portion of the Internet with no further stopping points for the user to verify trust. Your point seems to be internally contradictory.
Agreed! So there isn't any interface for modifying requests/responses at present, but it's definitely possible given the underlying approach. If you consider [this line of code](https://github.com/monasticacademy/httptap/blob/main/http.go...) where you have an HTTP request parsed from the <command> that ran and are about to send it out to the public internet: you could modify the request (or the response that is received a few lines further) in just the way that you would modify a normal http.Request in Go.
Injecting random data into telemetry requests to mess up someone’s pretty dashboard?
There's at least https://adnauseam.io/ for that already
1 reply →
if the program doesn't pin certificates, you should be able to intercept them by telling your machine to trust a certificate authority of your own creation and performing a mitm attack on the process's traffic. if it does do certificate pinning, then it won't trust your home issued cert, and will refuse to send data through your proxy.
You might find mitmproxy useful.
Yep, mitmproxy is fantastic IMO.
Apparently there's JS interface for it too: https://www.npmjs.com/package/mitmproxy
But the problem with it is that you have to configure proxy in the app (they do got transparent and wireguard modes but there's still quite a bit of configuration).