Show HN: Using eBPF to see through encryption without a proxy

188 点作者 tylerflint大约 8 小时前

Hi HN, I'm Tyler Flint, one of the creators of qtap.For a while now, my team and I at Qpoint.io have been grappling with the challenge of understanding what's actually happening inside the encrypted traffic leaving our production systems. Modern apps rely heavily on third-party APIs (think payment processors, data providers, etc.), but once TLS kicks in, figuring out exactly what data is being sent, identifying PII exposure, or debugging integration issues becomes incredibly difficult without resorting to complex and often brittle solutions.Traditional approaches like forward proxies require terminating TLS (MITM), managing certificates, and often introduce performance bottlenecks or single points of failure. Network firewalls usually operate at L3/L4 and lack payload visibility. We felt there had to be a better way.That's why we built qtap. It's a lightweight agent that uses eBPF to tap into network traffic at the kernel level. The key idea is to hook into common TLS libraries (like OpenSSL) before encryption and after decryption. This gives us deep visibility into the actual request/response payloads of HTTPS/TLS traffic without needing to terminate the connection or manage certs. Because it leverages eBPF, the performance impact is minimal compared to traditional methods.With qtap, we can now see exactly which external services our apps are talking to, inspect the payloads for debugging or security auditing (e.g., spotting accidental PII leaks), monitor API performance/errors for third-party dependencies, and get a much clearer picture of our egress traffic patterns.We've found this approach really powerful for improving reliability and security posture. We've packaged qtap as a Linux Binary, Docker container, and Helm chart for deployment.This is still evolving, but we're excited about the potential of using eBPF for this kind of deep, yet non-intrusive, visibility.We'd love to get the HN community's feedback:<pre><code> Do you face similar challenges monitoring encrypted egress traffic? What are your thoughts on using eBPF for this compared to other methods? Any suggestions or potential use cases we haven't considered? </code></pre> Happy to answer any questions!

19 条评论

bbkane大约 7 小时前

Does this work for Go binaries? My understanding is that Go programs do all the encryption "in the process" so the data is encrypted before eBPF can intercept it. I'd love to be wrong about that!

评论 #43928612 未加载

评论 #43928485 未加载

zxilly大约 5 小时前

There's a similiar tool <a href="https://github.com/gojue/ecapture">https://github.com/gojue/ecapture</a>

评论 #43930948 未加载

CMCDragonkai11 分钟前

Does this work in NixOS?

compscidr大约 7 小时前

Have been following this project for a while, cool stuff!I work a bunch with vpn-like networking on Android phones and it would be cool to have a bit of info on how I might get something like working on phones. I guess its probably not your typical usecase.Currently since the project is a VPN client, I already intercept all of the packets, I have a pcap writer and can write to files or a tcp sockets and connect wireshark to it - but it needs a bunch of complication to setup the keys so that I can see through encryption, so anything that would make that process easier would be great.

评论 #43928585 未加载

mrbluecoat大约 1 小时前

Was going to ask if it was only passive monitoring or active controlling and found <a href="https://docs.qpoint.io/appendix/qcontrol-beta" rel="nofollow">https://docs.qpoint.io/appendix/qcontrol-beta</a>> Security enforcement: Allowing or denying traffic based on precise conditionsVery cool. What are your supported log sinks?

评论 #43932392 未加载

eptcyka大约 6 小时前

I know that arguing that SSLKEYLOGFILE is all you need will just be a different version of the rsync/dropbox comment, but I do wonder under what circumstances is one able to strace a binary and isn’t able to make it dump session keys? I read the headline and set high hopes on finding a nifty way to mitm apps on Android - alas, I’m not sure this would work there necessarily.

评论 #43932173 未加载

评论 #43929991 未加载

worldsavior大约 7 小时前

Isn't there already mechanisms for patching specific SSL libraries to view encrypted requests (e.g. frida)? What is the benefit of using eBPF?

评论 #43928897 未加载

pclmulqdq大约 7 小时前

To hook into OpenSSL, don't you either need dynamic linking or userspace programs to compile your hooks in? Go and many Rust and C++ binaries tend to prefer static linking, so I wonder if this solution is workable there.

评论 #43928572 未加载

kristopolous大约 6 小时前

Just found out about a related things: <a href="https://github.com/cle-b/httpdbg">https://github.com/cle-b/httpdbg</a>Anyone have any experience with it?

评论 #43929449 未加载

tecleandor大约 2 小时前

Can it output pcap files or anything similar I can import onto Wireshark or a similar tool? Haven't found anything checking the docs...

评论 #43932255 未加载

Severian大约 5 小时前

Kinda related, anyone know of something similar for Windows? This is definitely going in my toolkit, but I need something similar for Windows client traffic inspection (tls 1.2+) to get the full picture. Working with proprietary client/server coms over tls. Can use a special debug build, but requires shutting down and replacing. Need something in-sutu.

onnimonni大约 2 小时前

Is there anything like this but for MacOS?

评论 #43932249 未加载

octobereleven大约 4 小时前

I don't have any answers/questions, but reading through the discussion, all I can say at this point is — Super impressive guys!

nikolayasdf123大约 7 小时前

sounds like a security breach. how you ensure this does not become link in some next complex CVE?

评论 #43929025 未加载

评论 #43928841 未加载

dahateb大约 6 小时前

Does it also work on android? Afaik ebpf is also available there.

评论 #43930130 未加载

评论 #43930465 未加载

0nethacker1大约 7 小时前

I like the fact this doesn't impact performance like MITM solutions do.

评论 #43929154 未加载

armitron大约 5 小时前

There are many independent implementations of the same idea (given how easy it is to implement) but all suffer from similar shortcomings:1. uprobes can be expensive and add latency (they force a context switch and copy data), especially when the hooked functions are called a lot2. EBPF is not widely available outside of Linux, requires elevated privileges (compared to a MITM proxy that requires no privileges and works with every OS)3. Doesn't work with JVM, Rust, any runtime that doesn't use the hooked functions

评论 #43930407 未加载

delusional大约 6 小时前

What does the usage pattern look like for this. Will I need to be root to run it, and can it run from inside a container without "real" host root?I'm always looking for a way to make sniffing traffic from inside a container easier, and if I could attach a debug sidecar with something like an eBPF based SSL pre-master key extractor (both on incoming and outgoing requests) it starts to feel a lot like having network JTAG.

评论 #43930126 未加载

adampk大约 7 小时前

How easy is the set up, does this need to be deeply integrated in each step of the life-cycle?

评论 #43928686 未加载