How to easily decrypt TLS traffic from a browser in Wireshark

Original author: Jim Shaver
  • Transfer
Many of you are familiar with Wireshark - a traffic analyzer that helps to understand the network, diagnose problems, and generally knows a bunch of things.

image

One of the problems with how Wireshark works is the inability to easily analyze encrypted traffic like TLS. Previously, you could specify Wireshark private keys, if you had them, and decrypt traffic on the fly, but this only worked if RSA was used exclusively. This functionality was broken due to the fact that people began to promote Perfect Forward Secrecy, and the private key was not enough to get a session key, which is used to decrypt data. The second problem is that the private key should not or cannot be unloaded from the client, server or HSM (Hardware Security Module) in which it is located. Because of this, I had to resort to dubious tricks with traffic decryption through man-in-the-middle (for example, throughsslstrip ).

Logging session keys in a hurry to the rescue!


Well, friends, today I will tell you about the method easier! It turned out that Firefox and the development version of Chrome support logging of symmetric session keys, which are used to encrypt traffic, to a file. You can specify this file in Wireshark, and (voila!) The traffic has been decrypted. Let's set up this business.

We configure browsers


We need to set the environment variable.

Windows

Open the properties of the computer, then “Advanced system settings”, then “Environment variables ...”

image

Add a new user variable “SSLKEYLOGFILE”, and specify the path to the file where we want to save it.

Linux and Mac OS X
$ export SSLKEYLOGFILE=~/path/to/sslkeylog.log

You can also add this line at the end of yours ~/.bashrcon Linux or ~/.MacOSX/environmenton OS X so that you do not have to install it every time after the log-in.

The next time you launch Firefox or Chrome from the Dev channel, they will log TLS keys into this file.
UPD : If nothing works for you on OS X, take a look at the comments (in the original article). It seems that Apple has changed the environment variables in the new version of OS X. Try running Firefox and Wireshark from the same terminal window:

# export SSLKEYLOGFILE=/Users/username/sslkeylogs/output.log
# open -a firefox
# wireshark

Thanks to Tomi for this comment.

Hidden text
I don’t know how in MAC OS X, but in Linux the method described by the author will not work. Environment variables always work within the same session (tty, pty), and you need to start Firefox from the same window.
~ ValdikSS

Customize Wireshark


You will need Wireshark version 1.6 and later. Open the Wireshark settings:
image

Expand the "Protocols" section:

image

Specify the path to the file:

image

Result


This is what we usually see when we inspect the TLS packet:

image

But what happens when we switch to the “Decrypted SSL Data” tab. Now we can see the request text. Victory!

image

Conclusion


Hopefully now it will be much easier for you to intercept TLS. One notable feature of this method is that you don’t need to install Wireshark on a computer that generates TLS traffic, so you don’t have to install programs unnecessary for clients, you can save the dump to a file on a network drive or just copy it from the machine, and use with traffic dump.

Thank you for reading!

Also popular now: