Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Note that mitmproxy, which requires a Python install, is not necessary to monitor what is being sent out from your computing device.

The same results can be achieved using only socat and the openssl binary.

While I understand the terminology is popular, I would not call this "reverse-engineering"; to me this is simply viewing your own traffic.

I believe users have a right to see the traffic they (or the apps they use) are sending, and for security reasons alone they should monitor what is being sent. https plus third party CA usage complicates such transparency, making proxying techniques necessary.

I wish more users would view their own traffic.

Keep up the good work.



I've been MITM'ing my connections ever since I discovered the Proxomitron ( http://en.wikipedia.org/wiki/Proxomitron ) - it lets me customise webpages and filter out the crap before it gets to any browser, and works in all the browsers on the system; even the ones embedded in apps. It has a logging feature to show traffic too.

It would be great if a proxy could be run directly on the mobile device, as then it could be used anywhere along with the apps its monitoring.

As you said HTTPS is a bit of a pain since it's actively designed to resist such "attacks", but as long as there's the option to specify your own CAs it will work. Certificate "unpinning" is still a manual process, however...


How would you use a proxy on a mobile phone? Just curious. I'm not familiar with Proxomitron, so I assume adding filters like privoxy or captures?

People have done this in ways by hacking the built-in VPN system I believe.


You just point to your Proxy server under Settings / WiFi. Alternatively you may want to install your proxy SSL CA on your mobile device, so you can see inside HTTPS connections (if supported).

Charles Proxy has some easy-to-use pointers [1][2].

[1] http://www.charlesproxy.com/documentation/faqs/ssl-connectio...

[2] http://www.charlesproxy.com/documentation/faqs/using-charles...


Is Proxomitron any better than Privoxy?


Could you give a specific example of how socat can be used with the openssl binary in the way you suggest? I'd like to try it.


Personally I would just use the Firefox web developer tools rather than mitmproxy, much easier.


To log app requests? Firefox doesn't have a proxy unless I'm mistaken.


There are at least three addons that allow viewing network activity with Firefox:

https://getfirebug.com/ http://chrispederick.com/work/web-developer/ https://addons.mozilla.org/en-US/firefox/addon/live-http-hea...

I haven't tried it but I expect the developer edition does too:

https://www.mozilla.org/firefox/developer/


But is there any way to use those to inspect traffic originating from outside of Firefox? With mitmproxy (or other tools, such as Charles/Fiddler/etc) you can run pretty much anything through them.


I would just use wireshark for that.


And so we're back to the original article. How do you deal with encrypted connections?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: