It does not work for HTTPS connections (SSL_ERROR_RX_RECORD_TOO_LONG)

[eleumasc]

Hi! First of all, kudos to you for your great job on developing a complete toolbox for dynamic analysis of JS, I really like it :)

I would like to try Otiluke with Aran/Linvail to perform taint analysis of JS. However, despite it works fine for HTTP connections, it gets lost in the case of HTTPS connections (e.g., https://www.google.com/). Looking roughly at the browser/index.js file, it seems that just one instance of HTTP.Server is actually used, while a HTTPS.Agent is present, but (maybe?) without any meaningful purpose.

This is the procedure I followed (on Ubuntu, as superuser):

• Install Otiluke globally with npm install -g otiluke
• Run otiluke-browser-ca
• Install certificate <otiluke-root>/browser/ca/cert.pem on Firefox and restart Firefox
• Run otiluke-browser --vpath=<otiluke-root>/test/virus.js --port=8080
• On Firefox, configure proxy server for all protocols (HTTP, HTTPS, SOCKS) using :: as host and 8080 as port

When I try to navigate to a site that I have never visited before through HTTPS, Firefox throws a SSL_ERROR_RX_RECORD_TOO_LONG error. What am I doing wrong?

Thank you in advance.

[lachrist]

Hi @eleumasc thanks for your interest. First, know that running aran + linvail on real-world sites will make them extremely slow. Have you tried the regular steps to fix this error -- eg: update firefox, clear cache, restart computer, ... If these steps do not work, maybe some security policies changes since I published this code which was a while ago. In that case, I'm afraid I do not have the time to fix this in the foreseeable future. If you feel like it, you are more than welcome to investigate this and submit a PR.