Decrypting TLS using browsers

One of the hidden features of the popular Chrome browser is the support of logging the symmetric session key used while encrypting the traffic with TLS to a file of our choice. Let's see what happens when we try to capture a TLS-encrypted packet:

We can see that the network traffic is encrypted using TLS and that the data in the bottom pane is not making much sense to us. Fortunately, browsers such as Chrome support storing the TLS key, which can help us decrypt the data that otherwise is not making sense. To set up logging, we need to export a user environment variable by browsing the Control Panel and opening system.

Next, we need to choose Advanced system settings. In the next step, we will choose the Environment Variables... option. In the User variable section, we will add the SSLKEYLOGFILE variable by clicking New and then set its value as any file of our choice:

Make sure you create an empty file with the name used in the variable value; in our case, it's ssl.log. Since we now have the setup ready, we can let the user browse the network. The preceding logging option will be helpful in cases of suspicion on a particular user can be confirmed by decrypting his TLS traffic and monitoring their activities.

On a Linux system, the environment variable can be exported using export SSLKEYLOGFILE=PATH_OF_FILE command.

Network packets can be captured at the hub or mirror port, but to decrypt the TLS sessions, the log file will be required. Once this file is set up correctly, the administrators and network forensic experts have enough to decrypt the TLS sessions on a different system. Let's see what kind of data is generated in the log file:

We can see that the file contains session keys. Let's set up SSL/TLS decryption in Wireshark by navigating to Edit and choosing Preferences. Then scroll down to SSL / TLS (Wireshark version 3.0) from the Protocols section:

Let's set the path of the log file in the (Pre)-Master-Secret log filename field and press OK:

We will now have the TLS sessions decrypted:

We can see most of the TLS traffic data in plain HTTP format. It is quite obvious that I will not be giving out this PCAP and associated log file, for security and privacy concerns. To perform the preceding exercise, you need to set up your environment variable with the path to the log file and browse some TLS-enabled websites. You will have the log file with various session keys; use it to decrypt your TLS-enabled data.

SSL has been replaced by TLS in version 3.0.0 of Wireshark.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
52.14.126.74