Re: Https sniffer

Phalak, Kashmira Vijay wrote:
>  
> Hi All,
>
> Thanks for your suggestions! But most of these products suggested need
> the private key to be supplied for decrypting the SSL traffic. The HTTP
> Analyzer which I initially tried, does not need the private key to be
> supplied and does a good job of decrytping SSL traffic. Can anyone
> explain to me how this works? But the HTTP analyzer only sniffs the
> traffic in the current user session. This behavior is different from
> that of ethereal when I set it in promiscuous mode. Here, I can see
> traffic from other machines on the same ether segment. I may be wrong
> here, but I don't see this in either ClearWatch,ssldump or ngrep. 
>
> Thanks,
> Kashmira.

Hi Kashmira,

The way that the tool that you have been using works is by accessing the 
WinInet debugging interfaces, and getting the information as it is 
decrypted by the MS SSL libraries. This is possible without the server's 
private key, because it is accessing the client's negotiated symmetric 
keys, I guess.

Of course, if you were to use any other non-WinInet SSL libraries (e.g. 
OpenSSL, FireFox, etc) HTTP Analyser would not be able to do anything at 
all.

So, the significant difference between HTTP Analyser, and the other 
tools that have been suggested, is that HTTP Analyser is not actually 
sniffing the network at all, whereas the other recommendations do (and 
hence CAN support a promiscuous mode).

If you want to perform promiscuous network sniffing, AND decrypt SSL 
communications that you collect in this way, you WILL need the servers' 
private keys. There is no other way (short of "breaking" SSL).

The alternative, if you can convince the other parties on the network to 
use you as a proxy, is to set up something like DSniff's SSL MITM, or 
WebScarab, and intercept the connections. This would enable you to get 
the clear text comms for a number of clients on the network, at the cost 
of a certificate error pop-up in each client.

Regards,

Rogan