英文:
Why all HTTPS communications are visible to other apps on a device? HTTP Toolkit
问题
我注意到使用HTTP Toolkit,您可以以未加密的形式嗅探来自Windows和Android OS上的浏览器,以及在经过Root的Android设备、模拟器或通过PC上的某种解决方法上的所有应用程序的HTTPS通信。所有来自标头、请求正文和响应的字段和数据都会在未加密的情况下拦截。
我认为这是一个重大的安全漏洞,因为黑客可以轻松分析应用程序的通信方式,从而获取更多关于服务器通信方式的知识,还可以在标头中看到API密钥。
此外,安装一些间谍软件来记录在他的PC或公共PC上输入的凭据,与HTTP Toolkit的方式相同。
这是否允许发生的原因是什么?有没有办法阻止这种情况发生?
英文:
I noticed that using HTTP Toolkit, you can sniff all HTTPS communications in an unencrypted form, from browsers on Windows and Android OS, plus all applications on a rooted Android device or an emulator or via some workaround on a PC. All fields and data from headers, request bodies, and responses are intercepted without encryption.
I find this to be a significant security flaw as a hacker can easily analyze how an app communicates, thus gaining more knowledge on how the server communicates, plus seeing API keys in the headers.
In addition, installing some spyware to record entered credentials on his PC or a public PC, same way as HTTP Toolkit does.
Is there a reason this is allowed to happen in the first place? Is there a way to prevent this from happening?
答案1
得分: 3
这是允许的,因为它非常有用。这是实现各种调试、测试和性能分析工具的方式,以及某些广告拦截器和其他流量修改器的方式。
这是可能的,因为它不能以最一般的方式被阻止。完全控制设备的用户可以检查该设备上的所有行为和流量。这就是控制设备的含义。流量加密是为了保护用户,而不是为了保护应用程序免受用户的侵害。如果查看API会显著影响系统的安全性,那么系统已经不安全。
您担心攻击者可能接管用户的计算机并观察他们,这是有效的,但问题比这更深刻。拥有系统管理权限的攻击者可以观察各种事物,通常是通过安装键盘记录器来观察用户的键盘输入。无法确保攻击者完全物理访问的设备的安全性。
您可以使用证书固定来限制TLS嗅探。Google不建议这样做,因为它难以管理。但是,对于某些情况,这样做是值得的。还可以参考HTTP Toolkit的关于这个主题的讨论。
您找到了一个值得研究的好东西。我建议深入研究HTTP Toolkit的工作原理。这将让您更好地理解TLS提供和不提供的功能。
英文:
It's explicitly allowed because it's extremely useful. It's how all kinds of debugging, testing, and profiling tools are implemented, as well as some kinds of ad blockers and other traffic modifiers.
It's possible because it cannot be prevented in the most general way. A user who fully controls a device can inspect all behavior and traffic on that device. That is what it means to control a device. Traffic is encrypted to protect the user, not to protect apps from their user. If seeing the API would significantly impact the security of the system, the system is already insecure.
Your concern that an attacker may take over a user's machine and observe them is valid, but is far deeper than this. An attacker who has administrative access to the system can observe all kinds of things; mostly commonly by installing a keylogger to watch what they type. There is no way to secure a device that an attacker has complete physical access to.
You can limit TLS sniffing using certificate pinning. Google does not recommend this because it's hard to manage. However, for some situations, it's worth the trouble. See also HTTP Toolkit's discussion on the topic.
You've found a good thing to study. I recommend digging into how HTTP Toolkit works. It will give you a much better understanding of what TLS does and doesn't provide.
答案2
得分: 1
I don't think that is too serious.
HTTP Toolkit 无法拦截您的正常浏览器。
它只会创建一个浏览器的访客配置文件,然后打开并拦截它。
这个浏览器与您自己的浏览器无关,它们之间不共享任何信息。
在Selenium中也是一样的情况。
Selenium广泛用于自动化测试,并可以与Python、C#等语言集成。
它也会打开一个独立配置文件的浏览器,并从您的测试代码与之通信。
无论如何,它们都无法拦截您的正常浏览器。
如果您关心安全问题,那么您不应该通过HTTP Toolkit或Selenium打开的浏览器浏览包含敏感数据的网站。
请使用您的正常浏览器。
英文:
I don't think that is too serious.
HTTP Toolkit can not intercept the your normal browser.
It only creates a guest profile of browser, open and intercept it.
This browser does not have related to your own browser and does not share between them.
The same thing happen in Selenium.
Selenium is used widely for automated testing and can be integrated with python, C# and so on.
This also opens their own browser with separated profile and communicate with it from your test code.
Anyway, they can not intercept your normal browser.
If you are serious about the security, then you must not explore the websites with sensitive data via browser that is opened by the HTTP Toolkit or Selenium.
Just use your normal browser.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论