Decrypting SSL/TLS traffic with Wireshark

Introduction

The Internet wasn’t designed to be secure from the start. Many protocols (such as HTTP and DNS) were designed to serve their purpose of conveying information over the network without spending time on security.

However, in the modern Internet, privacy and security are major priorities. As a result, the Transport Level Security (TLS) protocol (and its predecessor SSL) are designed to encrypt traffic as it travels over the network. This allows computers to use the same underlying protocols for formatting data (like HTTP) but add a level of security (transforming it to HTTPS).

The issue with SSL/TLS for cybersecurity professionals is that it works. While the encryption standards were developed for good purposes, the bad guys use them too. In this article, we’ll describe how to perform SSL/TLS decryption in Wireshark.

What you’ll need

Wireshark is a commonly-known and freely-available tool for network analysis. The first step in using it for TLS/SSL encryption is downloading it from here and installing it.

The other thing that you’ll need to do before decrypting TLS-encrypted traffic is to configure your Web browser to export client-side TLS keys. Since TLS is designed to protect the confidentiality of the client and the server during transmissions, it’s logical that it’s designed so that either of them can decrypt the traffic but no one else can. Since we’re acting as an eavesdropper on the network (the exact thing that TLS is designed to prevent), we need to have one of the trusted parties share their secrets with us.

Sponsorships Available

Sponsorships Available

Sponsorships Available

In Firefox and Chrome, this can be accomplished by setting an environment variable called SSLKEYLOGFILE. If this variable is set, both browsers are configured to save a copy of the client’s secrets to the indicated file location. On Linux, this variable can be set using the Export command. (Read more...)