tags:

views:

587

answers:

4
+1  Q: 

Capturing HTTPS traffic in the clear?

I've got a local application (which I didn't write, and can't change) that talks to a remote web service. It uses HTTPS, and I'd like to see what's in the traffic.

Is there any way I can do this? I'd prefer a Windows system, but I'm happy to set up a proxy on Linux if this makes things easier.

What I'm considering:

  1. Redirecting the web site by hacking my hosts file (or setting up alternate DNS).
  2. Installing an HTTPS server on that site, with a self-signed (but trusted) certificate.
  3. Apparently, WireShark can see what's in HTTPS if you feed it the private key. I've never tried this.
  4. Somehow, proxy this traffic to the real server (i.e. it's a full-blown man-in-the-middle "attack").

Does this sound sensible? Can WireShark really see what's in HTTPS traffic? Can anyone point me at a suitable proxy (and configuration for same)?

+4  A: 

Does Fiddler do what you want? :

What is Fiddler?

Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP(S) traffic, set breakpoints, and "fiddle" with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language.

Fiddler is freeware and can debug traffic from virtually any application, including Internet Explorer, Mozilla Firefox, Opera, and thousands more.

AakashM  2009-07-02 08:37:36
Yes, it can act as a man-in-the-middle proxy for HTTPS requests - note that it serves up an unsigned certificate, so if your app requires trusted certs, you'll have to either disable this requirement, or trust the cert - which Fiddler doesn't advise: http://www.fiddler2.com/Fiddler/help/httpsdecryption.asp
Zhaph - Ben Duguid  2009-07-02 08:55:06
I've got it viewing HTTPS traffic from Internet Explorer and Chrome; now to find out whether it'll work for the app in question...
Roger Lipscombe  2009-07-02 09:23:11
...except that the app in question only runs with admin rights, and Fiddler doesn't seem to want to install its HTTPS certificate under my administrator account (I run LUA most of the time).
Roger Lipscombe  2009-07-02 09:29:45
You can absolutely copy the Fiddler self-signed root certificate into the machine-wide Trusted Root store.
EricLaw -MSFT-  2009-07-19 17:03:47
+1  A: 

You need to setup a proxy for your local application and if it doesnt honour proxy settings, put a transparent proxy and route all https traffic into it before going outside. Something like this can be the "man" in the middle: http://crypto.stanford.edu/ssl-mitm

Also, here's brief instructions on how to archive this with wireshark: http://predev.wikidot.com/decrypt-ssl-traffic

rasjani  2009-07-02 08:40:56
A: 

  1. For using https proxy to monitor, it depends on the type of handshake. If you local application does not check the server's certificate by CA's signature which you can not fake, and the server does not check your local application's certificate ( or if you have one to setup on https proxy) then you can set up a https proxy to monitor the https traffic. Otherwise, I think it is impossible to monitor traffic with https proxy.

  2. Another way you can try is to add instrumentation probe at the routines of your client program where it send and receive messages from its https library. It needs some reverse engineering work, but should work for you for all situations.

arsane  2009-07-02 08:42:40
A: 

I would recommend WireShark, it is the best tool to follow on different pieces of traffic. Although, I am not sure what can you see with SSL turned on. Maybe, if you supply it with a certificate?

dusoft  2009-07-02 08:47:54

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Is there a way to make Firefox ignore invalid ssl-certificates?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL