• Unforeseen@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      8
      ·
      6 months ago

      Wireshark won’t show you anything if it’s encrypted, other then a communication taking place. There’s nothing stopping them from batching or otherwise obfuscating things through all kinds of means.

      • Rustmilian@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        6 months ago

        It entirely depends on how you set it up and where in the transport pipeline you’re intercepting pockets from.

        • whoareu
          link
          fedilink
          English
          arrow-up
          2
          ·
          6 months ago

          how do you circumvent the HTTPS encryption?

          • Rustmilian@lemmy.world
            link
            fedilink
            English
            arrow-up
            4
            ·
            edit-2
            6 months ago

            By combining with other methods for intercepting HTTPS traffic, typically involving installing certificates or modifying system configurations like configuring your browser or operating system to log secret keys.

            To break down the process of the cert method :

            • Device Trust: Install a trusted Root CA certificate (issued by you) on the Android device using Root permissions. This certificate tricks apps into trusting the proxy. Without Root level install the apps may reject the certificate as User Installed.
            • Device Routes Traffic : Configure the rooted Android device to route its traffic to the proxy on the separate system. This can be done through proxy settings.
            • Proxy Decryption : Configure the proxy to use the corresponding private key to decrypt the HTTPS traffic coming from your device, this key is generated when you created/issued the Root CA.
            • Traffic Inspection : With the traffic decrypted, you can use Wireshark configured to the proxy to inspect the traffic.
            • Proxy Re-encrypts and Forwards: After inspection, the proxy re-encrypts the traffic using a legitimate certificate and forwards it to the real website.
            • Socsa@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              2
              ·
              edit-2
              6 months ago

              It would still be tedious to inspect every bit to ensure that a rogue service isn’t just tacking chunks of noise onto a legitimate data stream. I’d argue that it’s almost impossible to verify that every bit is legitimate unless you also control the host and know exactly what the traffic is supposed to look like.

              • Rustmilian@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                6 months ago

                by “the host” you mean the server?
                With the traffic decrypted it should be possible to automate the inspection process to some degree, but obviously milage may vary.