Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to reach used cipher key of current SSL connection under Firefox?

I would like have one quick question. Is there any addon for Firefox or tool how to get session key generated from master secret during SSL handshake by which is encoded symmetrically whole client/server communication? I need it due to decoding of communication (POST/GET/etc..) via Wireshark or PCAP library. As I can see Firebug is showing decrypted communication so I hope there exist some proper ways how to reach this session key :)

Thank you all for a help.

like image 920
ITman Avatar asked Feb 11 '12 20:02

ITman


2 Answers

I have good news for you. You can actually get the Master-Key data that you need from both Firefox and Chrome. And you can use the output file in Wireshark to decrypt the SSL/TLS traffic without the need for the private key from the SSL/TLS server. Check out "Method 2" here: http://www.root9.net/2012/11/ssl-decryption-with-wireshark-private.html

As a tip, if you don't want to reboot your machine just open a command prompt and run:

set SSLKEYLOGFILE=c:\sslKeyLogFile.txt

"C:\Program Files (x86)\Mozilla Firefox\firefox.exe"

Since Firefox is being launched from the same session that you added the environment variable in, it will launch with that variable set. Otherwise a restart of Windows will be required after setting it in the System settings dialogs.

I also want to point out that the answer from Chris wasn't necessarily wrong, this is a fairly new feature. It didn't make it into release until Wireshark 1.6.

like image 70
hawkbat05 Avatar answered Oct 05 '22 11:10

hawkbat05


If you want to use Wireshark then the pre master secret will be of no use for you (you refer to it as 'cipher key' in your question).

Wireshark can only decrypt traffic if you specify the RSA private key of the server, which doesn't change on every connection unlike the pre master secret. However, you can't get that through your browser or anything else for obvious reasons.

If you want to decrypt SSL traffic I suggest using an intermediate proxy instead, like Fiddler. It does not passively capture traffic but proxies the traffic, which enables it to actually decrypt the data sent and received.

like image 36
Chris Avatar answered Oct 05 '22 09:10

Chris