当我遇到它的加密时,我试图让自己熟悉它的基本概念,简而言之,它的功能如下,
现在我看到我公司的 QA 工程师使用这个叫做 burp-suite 的工具来拦截请求。
我感到困惑的是,即使数据流经加密 channel ,任何拦截工具(如 burp-suite)如何设法拦截请求。
只是为了尝试一下,我试图拦截 facebook打嗝套件中的请求,
这里可以清楚的看到测试邮件test@gmail.com我在拦截的请求中使用了。
为什么这些数据没有按照 https 标准加密?
或者如果是,那么burp-suite如何设法解密它?
谢谢你。
最佳答案
Meta:这不是一个真正的开发或编程问题或问题,尽管 Burp 有时用于研究或调试。
If you LOOK AT THE DOCUMENTATION on Using Burp Proxy
Burp CA certificate - Since Burp breaks TLS connections between your browser and servers, your browser will by default show a warning message if you visit an HTTPS site via Burp Proxy. This is because the browser does not recognize Burp's TLS certificate, and infers that your traffic may be being intercepted by a third-party attacker. To use Burp effectively with TLS connections, you really need to install Burp's Certificate Authority master certificate in your browser, so that it trusts the certificates generated by Burp.
and following the link provided right there
By default, when you browse an HTTPS website via Burp, the Proxy generates a TLS certificate for each host, signed by its own Certificate Authority (CA) certificate. ...
使用它自己生成的证书(和匹配的 key ,尽管网页没有谈论它,因为它对人们不可见)而不是来自真实站点的证书允许 Burp 从客户端“终止” TLS session ,解密并检查数据,然后通过不同的 TLS session 将该数据转发到真实站点,反之亦然(除非配置为执行不同的操作,例如修改数据)。
... This CA certificate is generated the first time Burp is run, and stored locally. To use Burp Proxy most effectively with HTTPS websites, you will need to install Burp's CA certificate as a trusted root in your browser.
随后是有关风险的警告,以及相关说明的链接。
在浏览器中信任自己的 CA 证书意味着生成的证书被浏览器接受,并且对于浏览器用户(或其他客户端)来说,一切看起来都很正常。
关于ssl - 尽管加密,burp-suite 如何拦截 https 请求?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/61718311/