tcpdump/ethereal and HTTPS

Hi,

Is there any possible ways to capture HTTP messages over HTTPS?
Conceptually I know the HTTPS is a SSL link with public or private
certification key. Suppose I am using firefox to browsing https
website, so it is possible I take the key from the firefox and then
input them to the network analyze tools such as tcpdump and ethereal.

I want to know how to do it?

And if the answer is no, how can the developer to debug the protocol
over SSL?

Thanks in advance!

Bin

Bin Chen wrote:
> Hi,
>
> Is there any possible ways to capture HTTP messages over HTTPS?
> Conceptually I know the HTTPS is a SSL link with public or private
> certification key. Suppose I am using firefox to browsing https
> website, so it is possible I take the key from the firefox and then
> input them to the network analyze tools such as tcpdump and ethereal.
>
> I want to know how to do it?
>
> And if the answer is no, how can the developer to debug the protocol
> over SSL?
>
> Thanks in advance!
>
> Bin
>
There is a program called ssldump that understands SSL - Google for it.

Robert

On Jun 7, 4:46 pm, Robert Harris <robert.f.har...@blueyonder.co.uk>
wrote:
> Bin Chen wrote:
> > Hi,
>
> > Is there any possible ways to capture HTTP messages over HTTPS?
> > Conceptually I know the HTTPS is a SSL link with public or private
> > certification key. Suppose I am using firefox to browsing https
> > website, so it is possible I take the key from the firefox and then
> > input them to the network analyze tools such as tcpdump and ethereal.
>
> > I want to know how to do it?
>
> > And if the answer is no, how can the developer to debug the protocol
> > over SSL?
>
> > Thanks in advance!
>
> > Bin
>
> There is a program called ssldump that understands SSL - Google for it.
>
Thanks. Do you know how to get the key file from firefox and then
input to the ssldump?

In article <(E-Mail Removed). com>,
Bin Chen <(E-Mail Removed)> wrote:

> On Jun 7, 4:46 pm, Robert Harris <robert.f.har...@blueyonder.co.uk>
> wrote:
> > Bin Chen wrote:
> > > Hi,
> >
> > > Is there any possible ways to capture HTTP messages over HTTPS?
> > > Conceptually I know the HTTPS is a SSL link with public or private
> > > certification key. Suppose I am using firefox to browsing https
> > > website, so it is possible I take the key from the firefox and then
> > > input them to the network analyze tools such as tcpdump and ethereal.
> >
> > > I want to know how to do it?
> >
> > > And if the answer is no, how can the developer to debug the protocol
> > > over SSL?
> >
> > > Thanks in advance!
> >
> > > Bin
> >
> > There is a program called ssldump that understands SSL - Google for it.
> >
> Thanks. Do you know how to get the key file from firefox and then
> input to the ssldump?

I think ssldump captures it from the SSL session all by itself.

--
Barry Margolin, (E-Mail Removed)
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

On Jun 7, 9:04 pm, Barry Margolin <bar...@alum.mit.edu> wrote:
> In article <1181215136.041952.86...@x35g2000prf.googlegroups. com>,
> Bin Chen <binary.c...@gmail.com> wrote:
>
>
>
> > On Jun 7, 4:46 pm, Robert Harris <robert.f.har...@blueyonder.co.uk>
> > wrote:
> > > Bin Chen wrote:
> > > > Hi,
>
> > > > Is there any possible ways to capture HTTP messages over HTTPS?
> > > > Conceptually I know the HTTPS is a SSL link with public or private
> > > > certification key. Suppose I am using firefox to browsing https
> > > > website, so it is possible I take the key from the firefox and then
> > > > input them to the network analyze tools such as tcpdump and ethereal.
>
> > > > I want to know how to do it?
>
> > > > And if the answer is no, how can the developer to debug the protocol
> > > > over SSL?
>
> > > > Thanks in advance!
>
> > > > Bin
>
> > > There is a program called ssldump that understands SSL - Google for it.
>
> > Thanks. Do you know how to get the key file from firefox and then
> > input to the ssldump?
>
> I think ssldump captures it from the SSL session all by itself.
>
Yes, of course, but after that, we need to inject the key for the
ssldump to decrypt the SSL data.

In article <barmar-(E-Mail Removed)>,
Barry Margolin <(E-Mail Removed)> wrote:
>In article <(E-Mail Removed). com>,
> Bin Chen <(E-Mail Removed)> wrote:
>
>> On Jun 7, 4:46 pm, Robert Harris <robert.f.har...@blueyonder.co.uk>
>> wrote:
>> > Bin Chen wrote:
>> > > Hi,
>> >
>> > > Is there any possible ways to capture HTTP messages over HTTPS?
>> > > Conceptually I know the HTTPS is a SSL link with public or private
>> > > certification key. Suppose I am using firefox to browsing https
>> > > website, so it is possible I take the key from the firefox and then
>> > > input them to the network analyze tools such as tcpdump and ethereal.
>> >
>> > > I want to know how to do it?
>> >
>> > > And if the answer is no, how can the developer to debug the protocol
>> > > over SSL?
>> >
>> > > Thanks in advance!
>> >
>> > > Bin
>> >
>> > There is a program called ssldump that understands SSL - Google for it.
>> >
>> Thanks. Do you know how to get the key file from firefox and then
>> input to the ssldump?
>
>I think ssldump captures it from the SSL session all by itself.

That shouldn't be possible. In theory, if a session could be decrypted
by simply analyzing the session, then what good would the encryption be??

I have thought about implementing a decryption feature for another
protocol analysis tool (you can guess which one), so I have looked into
this a little. In order to be able to decrypt an SSL session, you would
at a minimum need to have access to the server's private key - as far as I
can tell, THAT would be the one piece of information that would be hard
to get. As I learn more about the basics of SSL, I'm sure I'll find out
what else might be needed?

Oh, and ssldump's manual talks about decryption as well:

(from ssldump's TROUBLESHOOTING guide)
Case 1: No private key
If ssldump is going to decrypt the traffic it needs to have the
server's private key. You provide it with the '-k' option. The kay
password (if needed) is provide with the '-p' option.

Patrick Klos
========= For LAN/WAN Protocol Analysis, check out PacketView Pro! =========
Patrick Klos Email: (E-Mail Removed)
Klos Technologies, Inc. Web: http://www.klos.com/
================================================== ==========================

On Jun 8, 6:24 am, p...@osmium.mv.net (Patrick Klos) wrote:
> In article <barmar-F11EAE.09045707062...@comcast.dca.giganews.com>,
> Barry Margolin <bar...@alum.mit.edu> wrote:
>
>
>
> >In article <1181215136.041952.86...@x35g2000prf.googlegroups. com>,
> > Bin Chen <binary.c...@gmail.com> wrote:
>
> >> On Jun 7, 4:46 pm, Robert Harris <robert.f.har...@blueyonder.co.uk>
> >> wrote:
> >> > Bin Chen wrote:
> >> > > Hi,
>
> >> > > Is there any possible ways to capture HTTP messages over HTTPS?
> >> > > Conceptually I know the HTTPS is a SSL link with public or private
> >> > > certification key. Suppose I am using firefox to browsing https
> >> > > website, so it is possible I take the key from the firefox and then
> >> > > input them to the network analyze tools such as tcpdump and ethereal.
>
> >> > > I want to know how to do it?
>
> >> > > And if the answer is no, how can the developer to debug the protocol
> >> > > over SSL?
>
> >> > > Thanks in advance!
>
> >> > > Bin
>
> >> > There is a program called ssldump that understands SSL - Google for it.
>
> >> Thanks. Do you know how to get the key file from firefox and then
> >> input to the ssldump?
>
> >I think ssldump captures it from the SSL session all by itself.
>
> That shouldn't be possible. In theory, if a session could be decrypted
> by simply analyzing the session, then what good would the encryption be??
>
If it is impossible, how can the browser get the information from the
HTTPS? I think there should be a way.

In article <(E-Mail Removed) .com>,
Bin Chen <(E-Mail Removed)> wrote:
>On Jun 8, 6:24 am, p...@osmium.mv.net (Patrick Klos) wrote:
>> In article <barmar-F11EAE.09045707062...@comcast.dca.giganews.com>,
>> Barry Margolin <bar...@alum.mit.edu> wrote:
>>
>>
>>
>> >In article <1181215136.041952.86...@x35g2000prf.googlegroups. com>,
>> > Bin Chen <binary.c...@gmail.com> wrote:
>>
>> >> On Jun 7, 4:46 pm, Robert Harris <robert.f.har...@blueyonder.co.uk>
>> >> wrote:
>> >> > Bin Chen wrote:
>> >> > > Hi,
>>
>> >> > > Is there any possible ways to capture HTTP messages over HTTPS?
>> >> > > Conceptually I know the HTTPS is a SSL link with public or private
>> >> > > certification key. Suppose I am using firefox to browsing https
>> >> > > website, so it is possible I take the key from the firefox and then
>> >> > > input them to the network analyze tools such as tcpdump and ethereal.
>>
>> >> > > I want to know how to do it?
>>
>> >> > > And if the answer is no, how can the developer to debug the protocol
>> >> > > over SSL?
>>
>> >> > > Thanks in advance!
>>
>> >> > > Bin
>>
>> >> > There is a program called ssldump that understands SSL - Google for it.
>>
>> >> Thanks. Do you know how to get the key file from firefox and then
>> >> input to the ssldump?
>>
>> >I think ssldump captures it from the SSL session all by itself.
>>
>> That shouldn't be possible. In theory, if a session could be decrypted
>> by simply analyzing the session, then what good would the encryption be??
>>
>If it is impossible, how can the browser get the information from the
>HTTPS? I think there should be a way.

Please, someone, correct me if (where) I'm wrong. Here's the basic operation
(my understanding of it):

1) Client requests secure connection with server. The client generates
it's own private and public key.

2) Server sends it's PUBLIC key to client.
Client sends it's PUBLIC key to server.

3) Client and server can now communicate with public key encryption, which
is computationally expensive.

4) Client and server negotiate a less computationally expensive encryption
algorithm via the secure channel.

5) Client and server switch to the new encryption method and communicate
using that encryption until one side or the other has a reason to
change.

Looking at this, I realize that if both sides do indeed use their own
private and public keys, you'd need the private keys from BOTH sides in
order to decrypt the stream. Is that right?

Patrick
========= For LAN/WAN Protocol Analysis, check out PacketView Pro! =========
Patrick Klos Email: (E-Mail Removed)
Klos Technologies, Inc. Web: http://www.klos.com/
================================================== ==========================

(E-Mail Removed) (Patrick Klos) writes:

[...]

>>If it is impossible, how can the browser get the information from the
>>HTTPS? I think there should be a way.
>
> Please, someone, correct me if (where) I'm wrong. Here's the basic operation
> (my understanding of it):
>
> 1) Client requests secure connection with server. The client generates
> it's own private and public key.
>
> 2) Server sends it's PUBLIC key to client.
> Client sends it's PUBLIC key to server.
>
> 3) Client and server can now communicate with public key encryption, which
> is computationally expensive.
>
> 4) Client and server negotiate a less computationally expensive encryption
> algorithm via the secure channel.
>
> 5) Client and server switch to the new encryption method and communicate
> using that encryption until one side or the other has a reason to
> change.
>
> Looking at this, I realize that if both sides do indeed use their own
> private and public keys, you'd need the private keys from BOTH sides in
> order to decrypt the stream. Is that right?

You may want to have a look at this

http://en.wikipedia.org/wiki/Diffie-Hellman

and further references about the topic (eg the TLS-RFC).

On Jun 7, 4:46 pm, Robert Harris <robert.f.har...@blueyonder.co.uk>
wrote:
> Bin Chen wrote:
> > Hi,
>
> > Is there any possible ways to capture HTTP messages over HTTPS?
> > Conceptually I know the HTTPS is a SSL link with public or private
> > certification key. Suppose I am using firefox to browsing https
> > website, so it is possible I take the key from the firefox and then
> > input them to the network analyze tools such as tcpdump and ethereal.
>
> > I want to know how to do it?
>
> > And if the answer is no, how can the developer to debug the protocol
> > over SSL?
>
> > Thanks in advance!
>
> > Bin
>
> that understands SSL - Google for it.
>
> Robert- Hide quoted text -
>
> - Show quoted text -

Robert is right There is a program called ssldump