Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
You'll fake the certificates? Google defaults to ssl now, you'll need full blown squid, sslbump and a few perl glue scripts.
Post your setup, I'm curious -
@nbamaral I think ill try to make a genuine request to google than modify that page before it gets to a home device, but I'll need to learn more about SSL and how I can monitor the page first
-
@calmyourtities not possible unless you have Google's private keys, or every user device has your certificate authority installed. That's called a MIT (man in the middle) attack and is one of the vectors SSL is meant to mitigate.
-
plusgut60137y@calmyourtities you can't modify the page. You can't decrypt the page inbetween client and server. Sure you can intercept the server response and change the content, but the client will notice that the stuff you send is not fitting to the public key of google.
-
@configurator
If he controls the devices, he may install a ca, but I think chrome pins the certificates, -
@nbamaral that explains why I never could create a dev certificate for my machine despite installing a CA... I ended up using a Let's Encrypt cert but that's a pain for localhost development...
-
@configurator
I'm not 100% sure, I know fb app does it and almost sure chrome too :) -
plusgut60137y@nbamaral yes apps rightfully do so, but I would be suprised if the browser does so too. The browser should do the stuff with the CA's, everything else would be weird. That's what they are for.
-
-
@nbamaral I know google forces SSL, but couldn't I change that, because it's my own proxy?
-
plusgut60137y@calmyourtities the proxy can't change anything, it's just in the middle of the connection. Only Alice(client) and Bob(server) can change it, not Mal(middle/proxy).
If you have access to the client you can install your CA and then you can do the stuff in the proxy.
P.S. it's not ssl anymore but tls -
@plusgut jeez I need to learn more about networking, I pretty much want to port forward all connections to go thru my computer, and then I change them, kinda like the ad blocking on raspberry pi. I always called it a proxy, and no one ever questioned it, I need to be around smarter people.
-
@plusgut I mean modifying the response that the device receives, not Google's, in fact, I think I really only need to access google once.
-
@calmyourtities
What plusgut said above.
It's not impossible, but it's hard, essentially you have to fake and make devices believe it's real.
that's why everyone is going ssl these days, to assure content isn't messed up with, -
plusgut60137y@calmyourtities as I said that's possible for unencrypted stuff but not for encrypted, then you need access to the clients.
But don't be scared about it, just do the stuff you try to do and you will learn all the stuff over time. -
And it's a proxy, you're not wrong :)
Create a CA, install it on the a client and create a few certs for some sites.
Route to you PC, use socat to watch the content. Can't point you to a more complete tutorial, because I'm at vacation -
plusgut60137y@nbamaral it's tls nowadays not ssl. And it's not hard either, you just need access to the client and install the CA and then just put your proxy in action. And there is software which generates certificates on the fly and does the proxy stuff.
-
@plusgut
Ahahah, yeah I still call it ssl
Yes, I know it's not hard, I admin a few proxies and faked certs before to debug/spy secret apis on apps :) -
@plusgut
Ahahah yes, never had to decrypt my users traffic.
And mitm apps it's the only way to see how developers cheat on published apis sometimes :p -
@calmyourtities
When the browser requests it its already https, it won't recognize a http answer, sorry -
plusgut60137y@calmyourtities if the client specifically asks for http then you absolutly can intercept it without any problem. And do the stuff you desire.
-
plusgut60137y@calmyourtities no you can't make redirect to http, because you can't change the https response.
-
What you can do to learn all of this is what plusgut said: create a ca, install it on the browser, create a cert using the ca, and redirect the traffic for that site to your server.
There you can use socat to decrypt and send it anyway and get the responses.
Something like this
https://stackoverflow.com/questions... -
@plusgut could I wait until the certificate expires, then make them connect to my network before getting the new certificate
-
plusgut60137y@calmyourtities no,the client will just say that the certificat expired. I already told you the only legit way to do it.
-
They wouldn't even notice if you would just exchange the logo
And for some you wouldn't even need to change the logo
Related Rants
I plan on making a proxy for my home network. Whenever you make a Google search, it will search it on duckduckgo and return the same results, but look as if it were google. Will people notice the difference?
undefined
google
is this a social experiment?
duckduckgo