Decrypting SSL

Today I'm studing network security / firewalls / SSL monitoring.  I'm treating these three items as one subject.  Network security is the general topic and a network firewall is the most common methiod of controling network traffic.  Today, SSL monitoring is the real goal.

As a part of a network security event that happend at work, I was hit by the two edegged sord that is SSL network encryption.  On one side it keeps your network traffic safe from spying eyes.  On the other side, it keeps the traffic safe from your eyes and anything a hacker is doing to your web site.

I've been looking for a product to monitor (IE spy on) SSL traffic.  There are lots of ways to do this.  You could:

1) use a Man in the Middle (MITM) proxy
2) use a network sniffer with a SSL decryption tool
3) use a plugin in Apache to write out all the html traffic

With a MITM proxy, the user connects to the proxy and then the proxy decrypts the ssl data, write it to a log, and passes the request on to the web server.  The reply is, writen to a log, encrypted by the proxy and passed back to the user.  A working example is webmitm witch is a part of dsniff projeject. (http://www.monkey.org/~dugsong/dsniff/) The problem with this sort of proxy is it doesn't scale well.  If the web site is doing hundres of ssl connections the prxoy handel all the traffic for all the web servers.  A good white paper about this is avaible from SANS. (http://www.sans.org/rr/whitepapers/threats/480.php)

Wireshark (this was etheral) is a network sniffer. (http://www.wireshark.org) I have tried the plugin called Ethereal ssl decryiption (http://ssl-decrypt.sourceforge.net).  I have yet to get this to work.  I think the problem is between the chair and the keyborad, not in the program.  For me, more documentation and examples are needed.  (Maybe this will be a story for another day.)

TCPDUMP is the best program I have found. (http://www.rtfm.com/ssldump) This program is simple to use and can decrypt live traffic from an ethernet port or you can feed it a tcpdump (URL) file.  The trouble I'm having with this program, and I may find this is true of all SSL decryption programs, is it only decrypts part of the traffic.  I can see the heards and some of the HTML data comming through the network but not all.

Another program I've looked at is SSL Sniff (http://www.thoughtcrime.org/ie.html).  

The Apache module mod_trace_log (see: http://webauthv3.stanford.edu/manual/mod) will write to a log all the users data as well as the access information.  

With all this I have yet to find a good solution to this problem.  I still can not view my SSL traffic going to  my customers.

Do any of you know how to decrypt a SSL stream given the keys? 


Leave a Reply

Your email address will not be published. Required fields are marked *