Decrypt TLS traffic with cert and a network dump?

Posted by DonL314@reddit | sysadmin | View on Reddit | 8 comments

I have been decrypting TLS traffic using Wireshark. In those cases I controlled the browser and could enable saving the negotiated symmetric session keys to a file and add that file as reference in Wireshark so I could look inside the encrypted traffic. But if I had a copy of the server certificate (including the Private Key), would I then be able to extract the negotiated symmetric key from the network traffic and snoop on the session?

Reply to Post

8 Comments

[-]

thenickdude@reddit

Not if the client negotiates a TLS protocol that supports Perfect Forward Secrecy. With PFS, even knowing the server's private key does not let you decrypt a conversation you've MitM'd. TLS 1.3 onwards mandates PFS, so all connections are protected. For earlier versions only some cipher suites support it (the ones with ephemeral key exchange).

[-]

DonL314@reddit (OP)

Great, thank you. It seems like I cannot do it (which is probably best anyway)

[-]

brkdncr@reddit

You’re describing a MitM attack and they can be both malicious and security related.

[-]

DonL314@reddit (OP)

Yep, it would be lovely for debugging but I am not sure if it even can be done. Sorry for asking but in a MiTM attack, wouldn't that require the MiTM to be an endpint to somebody else whereas in this case the MiTM is just snooping?

[-]

brkdncr@reddit

I deploy a cert that lets me see the complete dns url that’s being requested. I’m deploying a cert that lets me decrypt all traffic going through my firewalls. If the client trusts the cert ot can be used to decrypt lots of traffic. A rogue router, AP, switch could snoop traffic, or even someone knowing your wifi password. Quic and I think hsts protocols attempt to deal with this but you can force clients to downgrade.

[-]

DonL314@reddit (OP)

Thank you 🙂

[-]

AccidentallyBacon@reddit

maybe. rtfm: https://wiki.wireshark.org/TLS#tls-decryption

[-]

DonL314@reddit (OP)

Great, thanks! I wonder how I missed this.