Decrypting SSL / TLS traffic with Wireshark

The internet wasn't designed to be on it's own. Many protocols (such as HTTP and DNS ) are designed to serve their purpose and to transmit information over the network without security.

However, nowadays privacy and security are major priorities. As a result, the Transport Level Security (TLS) protocol (and predecessor of SSL) are designed to encrypt network traffic. This allows computers to use the same protocols to format data (such as HTTP) but add a level of security (converting it to HTTPS).

The problem with SSL / TLS in security is that it works. While encryption standards were developed for a good purpose, hackers also use them for illegal activity. In this article, we will describe how to perform SSL / TLS decryption on .

What you will need

The Wireshark is a commonly known and freely available tool for of the network.

The other thing you need to do before decrypting the encrypted TLS traffic is to configure your web browser to extract the TLS keys from the client.

Since TLS is designed to protect client and server data during information transmission, it makes sense that it is designed so that anyone can decrypt the traffic.

In Firefox and Chrome, this can be accomplished by setting a variable called SSLKEYLOGFILE. If this variable is set both browsers are configured to save a copy of the client to the specified file location. In Linux, this variable can be set using the Export command. In Windows, it can be configured by opening Advanced System Settings, selecting Environment Variables, and then adding a new System Variable. An example of this variable in Windows is shown below.

Once the variable is set, it is recommended that the system be restarted to ensure that the new settings are active. Once completed, we have everything we need to decrypt the TLS traffic.

Perform motion decryption

If you want to decrypt TLS traffic, you must first record it. For this reason, it is important to enable and run Wireshark before you start surfing.

Before we start downloading the program, we need to prepare the TLS traffic decryption. To do this, click Edit → Preferences. Select Protocols in the left pane and scroll down to TLS. At this point, you will see something similar to the image below.

Στο κάτω μέρος αυτής της εικόνας, υπάρχει ένα πεδίο με το όνομα αρχείου (Pre) -Master- log. Όπως φαίνεται παραπάνω, πρέπει να ορίσετε αυτήν την τιμή στην ίδια με το SSLKEYLOGFILE για το πρόγραμμα περιήγησής σας. Όταν τελειώσετε, κάντε κλικ στο OK.

Now on the Wireshark main screen, it will display a list of possible adapters to download. In this example, I will use WiFi 2 as there is traffic (shown from the black bar).

Clicking on an adapter will start recording its traffic on it.

At this point, you are ready to generate some TLS encrypted traffic. Go to Chrome or Firefox and browse to a website that uses HTTPS (we used for this example). Once the page loads, return to Wireshark and stop capturing packets.

Looking at the download, you will probably see a lot of traffic. What we are looking for now are packages related to the TLS encrypted browsing session. One method is to find the DNS lookup and filter by the IP address provided (shown below). The image below shows a package from our Facebook browsing session.

As you can see, Wireshark displays some different tabs at the bottom of the window. In addition to the Frame tab, one is called Decrypted TLS. Looking at the ASCII representation of the package, we see the certificate of the site (including the word Facebook). At this point, we have successfully decrypted the TLS release on Wireshark.

Applications and restrictions

Decrypting TLS traffic is achieved with many applications. Many hackers have resorted to using encrypted transmissions in an attempt to increase their level of anonymity and to control the communications and credibility of their victims. (People have been trained to trust the green padlock unfortunately…) Using TLS decryption, businesses can decrypt and inspect packets on the traffic in their business.

The main limitation of TLS decryption in Wireshark is that it requires the monitoring device to have access to the secrets used for the encryption. While we have achieved this by exporting keys from Chrome and Firefox, many companies choose to implement a proxy that splits the TLS connection in two. While this is effective for monitoring, it has important implications for privacy and security.

The issue of confidentiality is that users can not be excluded from monitoring in certain cases (eg checking banking information). The Best Technology Site in Greecefgns

Subscribe to Blog by Email

Subscribe to this blog and receive notifications of new posts by email.

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).