Hacker News new | past | comments | ask | show | jobs | submit login

Can you self sign other people packages with Charles? That's crazy!



Not really, you can do that with any decent SSL tool. Getting the client to accept your trusted certificate is all that is needed. Once you have that you have the keys to the kingdom. I've written similar software myself.

Now on a closed device it can be very difficult to add root certificates to the store, but it's often possible.

For instance when the PS3 firmware was first cracked I took the opportunity to flash mine with a firmware I made that contained my root authority certificate. Then I wrote a python program to intercept and MITM all the traffic.

Result? I found out that on boot your PS3 tells Sony every game (or other thing) you run on the ps3, what times you run them and how long for.


It's a common feature nowadays. The venerable Squid has had that feature for a long time.

http://wiki.squid-cache.org/Features/DynamicSslCert


Yup, as long as you can get the sending device to trust the invalid certificate. This is how I keep an eye on my iPhone traffic.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: