RE: Https sniffer

["Phalak, Kashmira Vijay" <kphalak () verisign com>]

Rogan,

Thanks for the explanation..that was really helpful! 
Now that I'm pretty much clear on this, I will have to pass up the idea
of using a HTTPS sniffer as it would require the server's private key
and look at some MITM tools such as Dsniff, EtterCap etc. as suggested
by you and other members. Imre gave some really good suggestions too and
I read up on stunnel and I think it would be worth a try for my purpose.


Thank you all for your help...

Regards,
Kashmira.




-----Original Message-----
From: Rogan Dawes [mailto:discard () dawes za net] 
Sent: Wednesday, July 20, 2005 11:54 PM
To: Phalak, Kashmira Vijay
Cc: vuln-dev () securityfocus com; webappsec () securityfocus com
Subject: Re: Https sniffer

Phalak, Kashmira Vijay wrote:
>  
> Hi All,
>
> Thanks for your suggestions! But most of these products suggested need

> the private key to be supplied for decrypting the SSL traffic. The 
> HTTP Analyzer which I initially tried, does not need the private key 
> to be supplied and does a good job of decrytping SSL traffic. Can 
> anyone explain to me how this works? But the HTTP analyzer only sniffs

> the traffic in the current user session. This behavior is different 
> from that of ethereal when I set it in promiscuous mode. Here, I can 
> see traffic from other machines on the same ether segment. I may be 
> wrong here, but I don't see this in either ClearWatch,ssldump or
ngrep.
> Thanks,
> Kashmira.

Hi Kashmira,

The way that the tool that you have been using works is by accessing the
WinInet debugging interfaces, and getting the information as it is
decrypted by the MS SSL libraries. This is possible without the server's
private key, because it is accessing the client's negotiated symmetric
keys, I guess.

Of course, if you were to use any other non-WinInet SSL libraries (e.g. 
OpenSSL, FireFox, etc) HTTP Analyser would not be able to do anything at
all.

So, the significant difference between HTTP Analyser, and the other
tools that have been suggested, is that HTTP Analyser is not actually
sniffing the network at all, whereas the other recommendations do (and
hence CAN support a promiscuous mode).

If you want to perform promiscuous network sniffing, AND decrypt SSL
communications that you collect in this way, you WILL need the servers' 
private keys. There is no other way (short of "breaking" SSL).

The alternative, if you can convince the other parties on the network to
use you as a proxy, is to set up something like DSniff's SSL MITM, or
WebScarab, and intercept the connections. This would enable you to get
the clear text comms for a number of clients on the network, at the cost
of a certificate error pop-up in each client.

Regards,

Rogan