> I am not sure how much of this technique can be used elsewhere for legitimate purposes

...as a Linux systems engineer, you are many times faced with debugging a black box problem wrapped in SSL on both ends which you need to peek into to understand what's going wrong; there is nothing suspect about this technique in this environment, it's what you're paid to do (solve problems). It's basically like having the ability to elevate your NIC port to promiscuous mode to debug an issue (tcpdump, e.g.) - it's a tool with no opinion, the human operating it is the one to be worried about.

It's useful to a security researcher or privacy advocate looking into what an application like zoom is actually sending around.

It may be also helpful when reverse engineering "proprietary" protocols, e.g. to create compatible clients.

It may be even easier to just "mitm" the traffic like this in applications you develop yourself to find out what going on deeply buried in some third party library. Easier than modifying the code or attaching a normal debugger.

There are plenty of legitimate uses.

Looking at the data our machines are sending over the network is perfectly legitimate activity. Companies should not be able to protect their software from us. We need to be able to see everything they are doing.

I would phrase that: Companies should not be able to hide from us what they are instructing our hardware to do, especially with our data.

Well, they especially shouldn't be able to do that, but no, companies should not be able to hide anything at all. (If there's anything that shouldn't be public (eg security camera footage, billing records), the company as a whole shouldn't have access to it in the first place. Ideally them shouldn't be allowed to collect it at all, but there are obvious practical issues with applying that universally.)

Looks like nextgen ad blocking to me. If you can instrument TLS connections on the client, you can identify ad content and substitute blank video frames or just 404s.

Writing a toy ad blocker is actually on my todo list :)

There's just so many things you can so. The original goal of the post was to tamper with zoom's attention tracking for example (which was a field in one of their protobuf payloads).

Proxomitron had that capability years ago - MITM proxy to filter pages and block ads, among other things. I still use it, it's very useful and continues to run fine on the newest Windows.

Right, just like there's no legitimate use for gdb or ghidra, which only exist to crack software for piracy. /s

Funnily "ghidra" reads like غدرة in Arabic which means "treachery".

Do you mean eBPF in general or the packet inspection parts specifically?

An administrator spying on other users on a shared machine is not a legitimate purpose (though, yes, it is a fairly obvious risk which no one should be surprised by).

This is very much a research technique and not an operational kind of thing.

> This is very much a research technique and not an operational kind of thing.

It's very much an operational kind of thing if you are trying to troubleshoot a thorny issue with your app in production.