drstuggels
commented
2 years ago I just used the --allow-hosts option to only capture the hosts I care about. Couldn't find any way to bypass ssl/certificate pinning.
Open mosburgerr opened 5 years ago
drstuggels
commented
2 years ago I just used the --allow-hosts option to only capture the hosts I care about. Couldn't find any way to bypass ssl/certificate pinning.
drstuggels
commented
2 years ago It would be great if there existed a big list of hosts/domains/ips that use certificate pinning so that we could ignore them with the --ignore-hosts option.
I've been using mitm type transparent proxying on my home network for some time and it seems that an increasing number of apps use certificate pinning to prevent any decrypting and inspection of SSL/TLS traffic. Particularly any iOS (and probably Android) apps from Google fail to various degrees when using a transparent proxy, but many others like the Facebook app seem to be affected too. In most cases, if the app can see that it is going through a transparent proxy, it either fails silently, or gives an obtuse error message. Will your mitmproxy setup address this? I'd be keen to know if it's avoidable because in my case I've had to disable https decrypt and scan on the proxy for google apps and others just to make them work (which of course means I don't know what data is being sent out).