views:

587

answers:

4

I've got a local application (which I didn't write, and can't change) that talks to a remote web service. It uses HTTPS, and I'd like to see what's in the traffic.

Is there any way I can do this? I'd prefer a Windows system, but I'm happy to set up a proxy on Linux if this makes things easier.

What I'm considering:

  1. Redirecting the web site by hacking my hosts file (or setting up alternate DNS).
  2. Installing an HTTPS server on that site, with a self-signed (but trusted) certificate.
  3. Apparently, WireShark can see what's in HTTPS if you feed it the private key. I've never tried this.
  4. Somehow, proxy this traffic to the real server (i.e. it's a full-blown man-in-the-middle "attack").

Does this sound sensible? Can WireShark really see what's in HTTPS traffic? Can anyone point me at a suitable proxy (and configuration for same)?

+4  A: 

Does Fiddler do what you want? :

What is Fiddler?

Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP(S) traffic, set breakpoints, and "fiddle" with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language.

Fiddler is freeware and can debug traffic from virtually any application, including Internet Explorer, Mozilla Firefox, Opera, and thousands more.

AakashM
Yes, it can act as a man-in-the-middle proxy for HTTPS requests - note that it serves up an unsigned certificate, so if your app requires trusted certs, you'll have to either disable this requirement, or trust the cert - which Fiddler doesn't advise: http://www.fiddler2.com/Fiddler/help/httpsdecryption.asp
Zhaph - Ben Duguid
I've got it viewing HTTPS traffic from Internet Explorer and Chrome; now to find out whether it'll work for the app in question...
Roger Lipscombe
...except that the app in question only runs with admin rights, and Fiddler doesn't seem to want to install its HTTPS certificate under my administrator account (I run LUA most of the time).
Roger Lipscombe
You can absolutely copy the Fiddler self-signed root certificate into the machine-wide Trusted Root store.
EricLaw -MSFT-
+1  A: 

You need to setup a proxy for your local application and if it doesnt honour proxy settings, put a transparent proxy and route all https traffic into it before going outside. Something like this can be the "man" in the middle: http://crypto.stanford.edu/ssl-mitm

Also, here's brief instructions on how to archive this with wireshark: http://predev.wikidot.com/decrypt-ssl-traffic

rasjani
A: 
  1. For using https proxy to monitor, it depends on the type of handshake. If you local application does not check the server's certificate by CA's signature which you can not fake, and the server does not check your local application's certificate ( or if you have one to setup on https proxy) then you can set up a https proxy to monitor the https traffic. Otherwise, I think it is impossible to monitor traffic with https proxy.

  2. Another way you can try is to add instrumentation probe at the routines of your client program where it send and receive messages from its https library. It needs some reverse engineering work, but should work for you for all situations.

arsane
A: 

I would recommend WireShark, it is the best tool to follow on different pieces of traffic. Although, I am not sure what can you see with SSL turned on. Maybe, if you supply it with a certificate?

dusoft