[HN Gopher] Capturing Linux SSL/TLS plaintext without a CA certi...
       ___________________________________________________________________
        
       Capturing Linux SSL/TLS plaintext without a CA certificate using
       eBPF
        
       Author : walterbell
       Score  : 67 points
       Date   : 2024-07-11 17:31 UTC (5 hours ago)
        
 (HTM) web link (github.com)
 (TXT) w3m dump (github.com)
        
       | Brian_K_White wrote:
       | 2022 https://news.ycombinator.com/item?id=33826131
        
         | walterbell wrote:
         | Latest release: 2024-07-09
         | 
         | changelog:
         | https://github.com/gojue/ecapture/blob/master/CHANGELOG.md
        
         | gtirloni wrote:
         | nice one comment thread.
        
           | Brian_K_White wrote:
           | Zero comment thread, since the only comment was the
           | submitter. That was my point.
           | 
           | I figured the reason it wasn't interesting the first time was
           | something like "Are you telling me that a kernel, and anyone
           | with root access to that kernel, can ultimately know
           | everything a kernel does? Shocking!"
        
       | evanjrowley wrote:
       | Gigamon offers a capability they call _Precryption_ which
       | functions the same under the hood, but also with a centralized
       | interface: https://www.gigamon.com/campaigns/precryption.html
        
       | p1mrx wrote:
       | > Note: Need ROOT permission.
        
       | cpach wrote:
       | What is the use case for this? Learning more about how Android
       | apps communicate with their home server?
        
         | jcrawfordor wrote:
         | Very useful for reverse engineering and security auditing of
         | internal APIs. Particularly on Android a lot of apps pin CA
         | certs or use their own trust store, so you have to do a little
         | RE on them to insert your own cert... Or do it this way.
        
         | justahuman74 wrote:
         | Inspecting what apps are sending out when they don't want you
         | to see
        
         | hawski wrote:
         | Just today I thought about a hypothetical strace analog for web
         | requests. Something that could trace all the HTTPS requests a
         | program makes without playing around with certificates.
        
       | egberts1 wrote:
       | Note to Linus: We have to be able to compile out this eBPF kernel
       | config option, like completely.
        
         | fragmede wrote:
         | I believe that's CONFIG_BPF
        
         | wmf wrote:
         | If eBPF is disabled you can use other debugging facilities.
        
         | A1kmm wrote:
         | Note that despite the headline, the feature actually used here
         | is kprobe and uprobe (which use eBPF to collect data using eBPF
         | every time an event, such as passing a certain point in code,
         | is executed - allowing for hooking of functions and extraction
         | of data). You can turn them off with CONFIG_KPROBE_EVENTS=n and
         | CONFIG_UPROBE_EVENTS=n.
         | 
         | That said, there are other ways to do similar probing: -
         | Loading kernel modules. - Using ptrace. - Using LD_PRELOAD
         | against a dynamic binary.
        
       ___________________________________________________________________
       (page generated 2024-07-11 23:00 UTC)