Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
@Bitwise so I can man in the middle the devrant app and modify the responses
@Floydian know my scripts? but for the app - to some extent, e.g. face normifier could be ported to this -
@CozyPlanes I tried to rotate my phone all sorts of orientations to make something out of this, but all I can see is "lee l o l", it's supposed to be some sort of table throwing emote probably, but I just can't see it lol
-
@Bitwise lol not my intent, but I'll make sure to have a separate version for you 😂
-
I'm not a security guy, but how can you do that? You make like seem like sniffing passwords from an http only connection.
-
@gitpush generate a certificate, trust on the mobile device, make the server use that cert for devrant.com connections
besides that mitmproxy also takes care of that too itself - if there's a HTTPS connection that doesn't yet have a cert generated it creates a new cert signed with the root one that you trust, but I wanted to generate my own, just in case -
@CozyPlanes oh well that was random lol
@gitpush to my knowledge yes, but googling - it seems there is ways to bypass that, especially on Android, where you can just repackage with your own certs. -
@JoshBent I see, thank you for the info, I will play around with what Linux said, cuz I have a website that uses Lets Encrypt, and I'm from what I read in your rant I think it is not enough
-
@gitpush somebody would need to install certs on the victims computer, so it's not a really needed addition, if you're not handling money or vital personal data.
-
@JoshBent ahha... Great to know, and no I don't handle money nor personal data other than name and email. The thing that is always making me afraid is noob hackers, I'm no big shot so that pros come and hack my server, but I also not a linux pro so I make a good victim for those who want to learn lol
-
@gitpush you should be concerned with hardening mainly your server then, no default SSH port, SSH key auth, iptables honeypot ports banning, SSH failed attempts ban, use a middleman like cloudflare so your IP can't be resolved, using only prepared database queries etc.
-
@gitpush page rules are things that you want cloudflare to handle, aka things you're too lazy for most often, like a 301 redirect or http to https force etc. I have barely ever used those and you can have a very good amount of traffic before there's any limits too, also iirc unlimited domains connected
-
@JoshBent I see great, then I'll go for it, cuz for now I let nginx handle http to https and other pages like 404
Thanks again for your help, much appreciated :)) -
@gitpush youre welcome, cloudflare has also different SSL modes, so basically you could even not have SSL on your server and cloudflare would front you with their cert and communicate with your server internally through http, generally it's enough, because double the handshake double the trouble imho
-
@JoshBent But how can they do that internally? Do I need to install anything on my server so that the connection between my server and cloudflare is secure?
-
@gitpush nope, you don't need to install anything, just know that they are an SSL terminating proxy, so in *theory* they could get all your conspiracies that are transferred over Https, that's why many here are "paranoid" about it, even though literally any other CDN/ddos service basically does the same with just a different name and the benefit overweighs getting ddosed or using cdn hacks.
-
@JoshBent sorry I ask too much, but even if I use my own certificate, they can still see data between me and them?
-
@gitpush don't worry, I think if you use a CA cert they still have to ssl terminate to redirect it to your server, but not sure on that, maybe @condor @linux @perfectasshole or @linuxxx know an answer to that, since that would interest me too.
-
@JoshBent @gitpush I'm not a hero in this one honestly but @PerfectAsshole would know an answer I think :)
-
@gitpush @JoshBent @linuxxx it terminates the incoming https connection then creates another one. Otherwise using a selfsigned cert between something like cloudflare and your server would say unsigned certificate.
Also a side note with hsts and private key pinning it is just about impossible to mitm a server unless you attack at the browser level to ignore those headers -
@gitpush no problem. You can use ssl passthrough to use the cert from the server and from that point a service can't see anything but at that point there's no difference between using cloudflare over a standard dns service since they can't filter out any traffic
-
@linuxxx @Linux @PerfectAsshole awesome thanks :) so I guess I just hope I won't have to repackage the app just to get it to work with a custom cert any time soon
-
@Linux he would have to use a custom https client that ignores headers so it is possible
-
@PerfectAsshole @Linux haven't really tested yet much, since there's no need yet, but most of the time just replacing the cert inside the package seemed to work as described here:
https://blog.netspi.com/four-ways-b...
haven't yet tried the frida thing, but I remember from root times that something similar as a module worked too.
First (working) attempts at writing a proxy that rewrites live requests from the devrant app, right now it only rewrites all notifications to be unread
Though the first attempt that finally works is built with mitmproxy and it's add-on scripting, plan is to get that stuff work with e.g. goproxy instead
devrant