Comment by xorcist

19 days ago

It's a bit thin solution though, isn't it? As you say, it's dependent on both specific CA store and resolver behaviour. It's probably going to be robust enough on the most common SSL libraries, such as OpenSSL. But if we're going that route, why not just run the software against a patched SSL library which dumps the traffic?

That also doesn't require any elevated privileges (as opposed to other methods of syscall interception) and is likely much easier to do. It has the added benefit of being robust against applications either pinning certificates outright or just being particular about serial numbers, client certificates, and anything like that.

2 comments

xorcist

0x696C6961 19 days ago

> why not just run the software against a patched SSL library which dumps the traffic?

Why run strace when you can just patch libc?

xorcist 16 days ago

Good point!