The Internet was not designed to be secure on its own. Many protocols (such as HTTP and DNS ) are designed to serve their purpose and to transmit information over the network without security.
However, nowadays privacy and security are major priorities. As a result, the Transport Level Security (TLS) protocol (and predecessor of SSL) are designed to encrypt network traffic. This allows computers to use the same protocols to format data (such as HTTP) but add a level of security (converting it to HTTPS).
The problem with SSL / TLS security is that it works. While encryption templates were developed for a good purpose, hackers also use them for illegal activity. In this article, we will describe how to perform SSL / TLS decryption in Wireshark.
Table of Contents
What you will need
The Wireshark is a commonly known and freely available tool for network analysis.
The other thing you need to do before decrypting the encrypted TLS traffic is to configure your web browser to extract the TLS keys from the client.
Since TLS is designed to protect client and server data during information transmission, it makes sense that it is designed so that anyone can decrypt the traffic.
In Firefox and Chrome, this can be accomplished by setting a variable called SSLKEYLOGFILE. If this variable is set both browsers are configured to save a copy of the client to the specified file location. In Linux, this variable can be set using the Export command. In Windows, it can be configured by opening Advanced System Settings, selecting Environment Variables, and then adding a new System Variable. An example of this variable in Windows is shown below.
Once the variable is set, it is recommended that the system be restarted to ensure that the new settings are active. Once completed, we have everything we need to decrypt the TLS traffic.
Perform motion decryption
If you want to decrypt TLS traffic, you must first record it. For this reason, it is important to enable and run Wireshark before you start surfing.
Before we start downloading the program, we need to prepare the TLS traffic decryption. To do this, click Edit → Preferences. Select Protocols in the left pane and scroll down to TLS. At this point, you will see something similar to the image below.
At the bottom of this image, there is a field with the file name (Pre) -Master-Secret log. As shown above, you must set this value in the same location as SSLKEYLOGFILE for your browser. When done, click OK.
Now on the Wireshark main screen, it will display a list of possible adapters to download. In this example, I will use WiFi 2 as there is traffic (shown from the black bar).
Clicking on an adapter will start recording its traffic on it.
At this point, you are ready to generate some encrypted TLS traffic. Go to Chrome or Firefox and browse to a site that uses HTTPS (we used Facebook for this example). Once the page is loaded, return to Wireshark and stop capturing the packages.
Looking at the download, you will probably see a lot of traffic. What we are looking for now are packages related to the TLS encrypted browsing session. One method is to find the DNS lookup and filter by the IP address provided (shown below). The image below shows a package from our Facebook browsing session.
As you can see, Wireshark displays some different tabs at the bottom of the window. In addition to the Frame tab, one is called Decrypted TLS. Looking at the ASCII representation of the package, we see the certificate of the site (including the word Facebook). At this point, we have successfully decrypted the TLS release on Wireshark.
Applications and restrictions
Decrypting TLS traffic is achieved with many applications. Many hackers have resorted to using encrypted transmissions in an attempt to increase their level of anonymity and to control the communications and credibility of their victims. (People have been trained to trust the green padlock unfortunately…) Using TLS decryption, businesses can decrypt and inspect packets on the traffic in their business.
The main limitation of TLS decryption in Wireshark is that it requires the monitoring device to have access to the secrets used for the encryption. While we have achieved this by exporting keys from Chrome and Firefox, many companies choose to implement a proxy that splits the TLS connection in two. While this is effective for monitoring, it has important implications for privacy and security.
The issue of confidentiality is that users can not be excluded from monitoring in certain cases (eg checking banking information).