| ▲ | tomsonj 5 days ago |
| chisel is a similar tool in this space https://github.com/jpillora/chisel I don’t get why headers and requests need to be spoofed if all traffic is over https? |
|
| ▲ | mhio 5 days ago | parent | next [-] |
| The headers are seen by the monster-in-the-middle CDN. It's obfuscation at best. I'm not sure the encrypted traffic will look particularly php-ish for example. Compressed formats might look vaguely passable. I can't see any stenography code or libraries in the repo. |
| |
| ▲ | tomsonj 5 days ago | parent [-] | | yeah if the CDN is not trusted this tool won’t help but then little would |
|
|
| ▲ | duskwuff 5 days ago | parent | prev | next [-] |
| > I don’t get why headers and requests need to be spoofed if all traffic is over https? Because the traffic is to a CDN endpoint (like Cloudflare) which expects it to be a HTTP message. |
| |
| ▲ | tomsonj 5 days ago | parent [-] | | it can still be an https message, who cares what the path, query string, or headers look like? that is all encrypted |
|
|
| ▲ | Titan2189 5 days ago | parent | prev | next [-] |
| > I don’t get why headers and requests need to be spoofed if all traffic is over https? https://en.wikipedia.org/wiki/Deep_packet_inspection |
| |
| ▲ | fragmede 5 days ago | parent [-] | | how are they looking inside the packet if it's encrypted? | | |
| ▲ | sodality2 5 days ago | parent [-] | | DPI doesn't have to decrypt it to make certain guesses about its content. For example, timing information, packet sizes, routing info, etc could lead you to believe it's certain kinds of things (SSH, VPN, etc). |
|
|
|
| ▲ | coretx 5 days ago | parent | prev [-] |
| Because SNI. Also, State (sponsored) Actors are certificate authorities.
HTTPS is the biggest scam in internet history.
https://en.wikipedia.org/wiki/Server_Name_Indication |
| |
| ▲ | astrange 5 days ago | parent | next [-] | | This certainly was an issue but it's solved by ECH/DoH. As long as they aren't blocked on your network anyway. > Also, State (sponsored) Actors are certificate authorities. To generate a fake certificate as a CA you have to either put it in the Certificate Transparency log, in which case everyone will notice, or don't, in which case browsers will notice (they know what top sites' certificates are supposed to look like) and your CA will get shut down. | | |
| ▲ | hamilyon2 5 days ago | parent [-] | | Someone should really test it, real red team black hat style and then fully publish the results. Try to mitm https with real unlogged certs and see what happens. Preregister the whole fully detailed procedure on blockchain. And report to public results fully, with proofs of being caught. |
| |
| ▲ | account42 5 days ago | parent | prev [-] | | SNI doesn't expose headers and request paths. |
|
