尽管加密,burp-suite 如何拦截 https 请求?
How does burp-suite intercept https requeest inspite of the encryption?
当我遇到它的加密时,我正试图让自己熟悉 https 的基本概念,简而言之,它的功能如下,
现在我看到我公司的QA工程师用这个叫burp-suite的工具来拦截请求
我很疑惑的是,虽然数据是通过加密通道传输的,但是像burp-suite这样的拦截工具怎么能拦截请求。
只是为了尝试一下,我尝试在 burp-suite 中拦截 facebook 请求,
这里可以清楚的看到我在拦截请求中使用的测试邮件test@gmail.com
为什么此数据未根据 https 标准加密?
或者如果是,那么 burp-suite 如何设法解密它?
谢谢。
Meta:这不是真正的开发或编程问题或问题,尽管 Burp 有时用于研究或调试。
If you LOOK AT THE DOCUMENTATION on Using Burp Proxy
Burp CA certificate - Since Burp breaks TLS connections between your browser and servers, your browser will by default show a warning message if you visit an HTTPS site via Burp Proxy. This is because the browser does not recognize Burp's TLS certificate, and infers that your traffic may be being intercepted by a third-party attacker. To use Burp effectively with TLS connections, you really need to install Burp's Certificate Authority master certificate in your browser, so that it trusts the certificates generated by Burp.
and following the link provided right there
By default, when you browse an HTTPS website via Burp, the Proxy generates a TLS certificate for each host, signed by its own Certificate Authority (CA) certificate. ...
使用它自己生成的证书(和匹配的密钥,虽然网页没有谈论它,因为它对人们不可见)而不是来自真实站点的证书允许 Burp 'terminate'来自客户端的 TLS 会话,解密和检查数据,然后通过不同的 TLS 会话将该数据转发到真实站点,反之亦然(除非配置为执行不同的操作,例如修改数据)。
... This CA certificate is generated the first time Burp is run, and stored locally. To use Burp Proxy most effectively with HTTPS websites, you will need to install Burp's CA certificate as a trusted root in your browser.
随后是有关风险的警告,以及 link 相关说明。
有自己的 CA 证书在浏览器中受信任意味着生成的证书被浏览器接受并且一切看起来大部分对浏览器用户(或其他客户端)来说是正常的。
当我遇到它的加密时,我正试图让自己熟悉 https 的基本概念,简而言之,它的功能如下,
现在我看到我公司的QA工程师用这个叫burp-suite的工具来拦截请求
我很疑惑的是,虽然数据是通过加密通道传输的,但是像burp-suite这样的拦截工具怎么能拦截请求。
只是为了尝试一下,我尝试在 burp-suite 中拦截 facebook 请求,
这里可以清楚的看到我在拦截请求中使用的测试邮件test@gmail.com
为什么此数据未根据 https 标准加密?
或者如果是,那么 burp-suite 如何设法解密它?
谢谢。
Meta:这不是真正的开发或编程问题或问题,尽管 Burp 有时用于研究或调试。
If you LOOK AT THE DOCUMENTATION on Using Burp Proxy
Burp CA certificate - Since Burp breaks TLS connections between your browser and servers, your browser will by default show a warning message if you visit an HTTPS site via Burp Proxy. This is because the browser does not recognize Burp's TLS certificate, and infers that your traffic may be being intercepted by a third-party attacker. To use Burp effectively with TLS connections, you really need to install Burp's Certificate Authority master certificate in your browser, so that it trusts the certificates generated by Burp.
and following the link provided right there
By default, when you browse an HTTPS website via Burp, the Proxy generates a TLS certificate for each host, signed by its own Certificate Authority (CA) certificate. ...
使用它自己生成的证书(和匹配的密钥,虽然网页没有谈论它,因为它对人们不可见)而不是来自真实站点的证书允许 Burp 'terminate'来自客户端的 TLS 会话,解密和检查数据,然后通过不同的 TLS 会话将该数据转发到真实站点,反之亦然(除非配置为执行不同的操作,例如修改数据)。
... This CA certificate is generated the first time Burp is run, and stored locally. To use Burp Proxy most effectively with HTTPS websites, you will need to install Burp's CA certificate as a trusted root in your browser.
随后是有关风险的警告,以及 link 相关说明。
有自己的 CA 证书在浏览器中受信任意味着生成的证书被浏览器接受并且一切看起来大部分对浏览器用户(或其他客户端)来说是正常的。