I’ve read here that HTTPS replay attacks aren’t possible from MITM attacks but I want to be sure that it’s not saying that HTTPS replay attacks aren’t possible at all. I want to know if I have to implement my own obscure method for temporarily preventing the inevitable or if something like this already exists.
Suppose the attacker is the client. They have access to the client and are communicating with the server legitimately, analyzing the traffic. Therefore the attacker has access to the client’s private key (or at least, the ability to replicate its generation). What’s stopping them from just replaying the traffic through a fake client after sniffing the payload before it’s encrypted? That is to say, running it through the client to encrypt it then send it themselves.
My client relies on the hardware information from the system to validate one-user-per-subscription and want to know what all of the weak points are for this system. Spoofing it seems really easy if they generate it normally once then spoof it every time after.