Comment by whartung
19 days ago
So if I have a Java program using the AWS libraries and I run it under this thing, it can decode the HTTPS AWS payloads going to Amazon?
How does that work with the AWS certs? How does the program not reject whatever this tool is doing to pull it off?
1. Yes. The following commit taught httptap how to configure Java processes to use its CA cert:
https://github.com/monasticacademy/httptap/commit/4288a89504...
2. How it works is explained in the last two paragraphs of the "How It Works" section of the readme:
> When a client makes an HTTPS request, it asks the server for evidence that it is who it says it is. If the server has a certificate signed by a certificate authority, it can use that certificate to prove that it is who it says it is. The client will only accept such a certificate if it trusts the certificate authority that signed the certificate. Operating systems, web browsers, and many other pieces of software come with a list of a few hundred certificate authorities that they trust. Many of these pieces of software have ways for users to add additional certificate authorities to this list. We make use of this.
> When httptap starts, it creates a certificate authority (actually a private key plus a corresponding x509 certificate), writes it to a file on the filesystem visible only to the subprocess, and sets a few environment variables -- again only visible to the subprocess being run -- that add this certificate authority to the list of trusted certificate authorities. Since the subprocess trusts this certificate authority, and httptap holds the private key for the certificate authority, it can prove to the subprocess that it is the server which which the subprocess was trying to communicate. In this way we can read the plaintext HTTP requests.