Stories
Slash Boxes
Comments

SoylentNews is people

Decrypting TLS Browser Traffic with Wireshark

posted by n1 on Sunday November 20 2016, @08:10AM   Printer-friendly
from the give-me-your-keys dept.

Phoenix666 writes:

Most IT people are somewhat familiar with Wireshark. It is a traffic analyzer, that helps you learn how networking works, diagnose problems and much more.

One of the problems with the way Wireshark works is that it can’t easily analyze encrypted traffic, like TLS. It used to be if you had the private key(s) you could feed them into Wireshark and it would decrypt the traffic on the fly, but it only worked when using RSA for the key exchange mechanism. As people have started to embrace forward secrecy this broke, as having the private key is no longer enough derive the actual session key used to decrypt the data. The other problem with this is that a private key should not or can not leave the client, server, or HSM it is in. This lead me to coming up with very contrived ways of man-in-the-middling myself to decrypt the traffic(e.g. sslstrip or mitmproxy).

Session Key Logging to the Rescue!

Well my friends I’m here to tell you that there is an easier way! It turns out that Firefox and Chrome both support logging the symmetric session key used to encrypt TLS traffic to a file. You can then point Wireshark at said file and presto! decrypted TLS traffic.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Decrypting TLS Browser Traffic with Wireshark | Log In/Create an Account | Top | 7 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Interesting) by opinionated_science on Sunday November 20 2016, @01:59PM

    by opinionated_science (4031) on Sunday November 20 2016, @01:59PM (#429896)

    I had misplace knowledge of this - seems like a fantastic backdoor, if its deployment can be hidden....

    Am I misreading this? The browser will "leak" private keys - sure for debugging that's great. But if it can be set by an environment variable, what's to stop a malign sysadmin making this default?

    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 5, Informative) by Anonymous Coward on Sunday November 20 2016, @02:30PM

    by Anonymous Coward on Sunday November 20 2016, @02:30PM (#429904)

    > what's to stop a malign sysadmin making this default?

    Nothing. And that's why it isn't a problem.
    If you are trying to protect your usage of a system from the person with privileged access to the system then you've already lost the fight.

    • (Score: 2) by dlb on Sunday November 20 2016, @04:36PM

      by dlb (4790) on Sunday November 20 2016, @04:36PM (#429939)
      I'm out of mod points, so instead I'll add, Well put!

      And as long as I'm handing out unsolicited (and maybe not particularly wanted) praise, compliments to Phoenix666 for finding an article that's interesting and tech related.

      • (Score: 2) by janrinok on Sunday November 20 2016, @08:05PM

        by janrinok (52) Subscriber Badge on Sunday November 20 2016, @08:05PM (#430040) Journal

        P666 left us with a pile of tech stories which have been used since Friday onwards. A very prolific submitter!

        • (Score: 2) by dlb on Sunday November 20 2016, @08:53PM

          by dlb (4790) on Sunday November 20 2016, @08:53PM (#430074)
          I've noticed!

  • (Score: 1, Informative) by Anonymous Coward on Sunday November 20 2016, @08:10PM

    by Anonymous Coward on Sunday November 20 2016, @08:10PM (#430044)

    Note these are transient TLS session keys, not RSA private keys they're talking about.