Decrypt https with libpcap?

Question

I am looking for a library or code snippet or general advice for decrypting https traffic from a browser, from the client point of view (no access to the server, but full access to the client). I know that firefox for example supports NSS, so that it can drop the ssl key into a file, but how can it be exploited by the libpcap API to decrypt the https traffic ?

This seems like a fairly common question so I thought I'd ask it here, maybe it has already been addressed before, so that I don't have to reinvent the wheel.

Edit: so in order words, I would like to have a code snippet or code architecture that helps me to decrypt https traffic from tcp packets, given the browser master key. Something similar to what wireshark already does, as described here: https://security.stackexchange.com/questions/35639/decrypting-tls-in-wireshark-when-using-dhe-rsa-ciphersuites

Thanks.

This must be done entirely in the browser. This is, after all, the whole point of encryption. A third party, who is not the client, should not be able to access cleartext communications. Your only possible solution is a browser plugin of some sort. Because if someone comes up with an independent tool that can sniff out a client's encrypted communications, independently, they'll officially break the intertubes. — Sam Varshavchik, May 15 '15 at 23:50
@SamVarshavchik I'm not so sure about that. As I said, firefox for example supports NSS, so that pretty much all https connections can be monitored, say by wireshark. So libpcap should be able to do the same, I just wondered what the code would look like (it has been done in wireshark, but I'm assuming the code is fairly hard to read). So to answer your concerns, yes it requires the browser to allow to be monitored, but as I said I have control over the client, so this is not an issue. — vylway, May 15 '15 at 23:55
I find it highly unlikely that NSS will allow one process to decrypt another process's encrypted traffic. That's would be a major, major security hole that the NSA would just love... — Sam Varshavchik, May 15 '15 at 23:56
@SamVarshavchik Well it requires the browser to allow to be monitored, but as I said, I have control over the client, so this is not an issue. The full step by step is described here, for example: http://security.stackexchange.com/questions/35639/decrypting-tls-in-wireshark-when-using-dhe-rsa-ciphersuites — vylway, May 15 '15 at 23:58
"So libpcap should be able to do the same". Presumably you mean "*a program that uses libpcap* should be able to do the same". Libpcap is a library for capturing network traffic, saving it to a file, and reading those saved files; the expectation is that *interpreting* the captured traffic, including decrypting it, will be done by the software that *uses* libpcap. Wireshark uses libpcap, and can decrypt some SSL traffic, so it's possible, but, yes, the code is complicated. — , May 15 '15 at 23:59
@GuyHarris yes this is what I mean, sorry for explaining myself poorly. But thank you for taking the time to decypher what I meant. So yes, I'm looking for a piece of code that would decrypt the https traffic, captured with the libpcap library, and using a provided private key given by the browser. — vylway, May 16 '15 at 00:02
@RemyLebeau but having the private key of the browser is enough, is it not ? As described in the link I provided in my comment above. — vylway, May 16 '15 at 00:07
@RemyLebeau Okay, assuming you are right, I don't mind, I'm only interested in what the browser receives anyway. — vylway, May 16 '15 at 00:13
@RemyLebeau: Did you follow the link the questioner provided? Both Firefox and Chrome support dropping the master secrets into a file, which Wireshark can use to decrypt an SSL session. Both directions. (Every comment here is wrong except for the questioners'. He meant "master secret" not "private key".) — Nemo, May 16 '15 at 00:14
@vyway: I strongly suggest you put that link into the text of your question. A lot of people do not realize that this is, in fact, possible. (Although you might be better served asking on a Wireshark developer list...) — Nemo, May 16 '15 at 00:15
@Nemo I tried to reformulate a bit the question, but since I'm neither English native nor tech savvy, please feel free to modify it further if you think it could be put in clearer words. — vylway, May 16 '15 at 00:21
@RemyLebeau Not you? SSL does not use public key encryption. The client doesn't necessarily even have a public key, so this is impossible anyway, and it is also slow. SSL uses symmetric encryption. The server's public key is used to verify his certificate, and, in some cipher suites only, to initiate the key negotiation process. The output of that process is a symmetric key independently computed at both ends. To sniff the plaintext you would need the cooperation of one of the peers. — user207421, May 16 '15 at 00:58
@RemyLebeau Your comment containing 'DOES NOT HAVE IT' is also incorrect, for the same reason. — user207421, May 16 '15 at 01:39
@EJP you said that you'd need the cooperation of one of the peers, but this is the case, in my situation, so that's great. You have the full client side cooperation. So how to proceed from here? — vylway, May 16 '15 at 02:58
While it should be possible it will not be simple with a few lines of code. Apart from the encryption stuff you first need to assemble your TCP streams (layer 4), because from libpcap you only get packets (layer 3). And since it will not be a simple code fragment I recommend you just look into the source code of wireshark for not only inspirations but real code and maybe you could also reuse part of the real code there for your own purpose. — Steffen Ullrich, May 16 '15 at 05:18
The key will not be enough if PFS is used(https://en.wikipedia.org/wiki/Forward_secrecy) and more and more websites are enabling it, for the exact reason of not allowing traffic recorded now to be decrypted in the future when managing to get the key. — CMoi, May 20 '15 at 06:59

Decrypt https with libpcap?

0 Answers0