> I could watch each command and response going over the wire.
AFAIK, Wireshark supports decrypting TLS traffic if you give it the private keys.
> When a POP3 mailbox got hung up on a single huge message you could just telnet in
Use “gnutls-cli” or “openssl s_client” – transparent TLS for your terminal. Both those commands also have options supporting protocols’ use of STARTTLS.
tls isn't magic, you can still observe the encrypted stream and make assumptions based on bytes sent/received on the wire, protocol patterns and timing. See the crime and breach attack.
On HN a lot of people are against TLS interception. How is a defender suppose to detect this traffic? TLS aside snort or yara rules can be implemented.
For personal devices of course TLS should not be interceptable. But I've personally gone 180 and support TLS decryption for enterprise networks.
Also, using TLS with Perfect Forward Secrecy (all modern ciphers), it's not possible to just capture the traffic and dectypt it later. You have to know the private key and do MITM.
Wireshark doesn't come with a built in way to extract the dynamically exhanged TLS keys from applications and use that to decrypt the traffic, so no it does not do what you claim.
> wireshark/tcpdump/ngrep/etc might be challenging to practically use in the presence of SSL/TLS. you can mitigate this problem by setting up SSL termination at your network perimeter so you can monitor unencrypted traffic.
I don't know why but your comment reminded me of learning about $SSLKEYLOGFILE and the ability to retroactively decrypt traffic captured in Wireshark: https://everything.curl.dev/usingcurl/tls/sslkeylogfile (I was expecting there to be an entry on MDN since my first contact with that env-var was from Mozilla's TLS library but no luck)
I guess it's the fact that in my mental model any supporting library doesn't have to be modified to allow viewing the traffic, and no cert-pining-breaks required
Even if you have perfect faith that it's currently impossible to crack TLS (and you probably shouldn't), they might record the stream and crack it in the future, having tools you can't even imagine currently.
I have one question though, how do you intercept TLS. Let’s say i would connect my phone to your proxy, and try to search something on the web. Wouldn't the connection not be trusted?
You can just hook the networking system calls and you have the unencrypted buffer. TLS encryption doesn't do anything since you can just look at it unencrypted on the network function when they pass in the buffer.
If they encrypt before the network functions, you can just look at the callstack and trace the variable containing the buffer backwards until it's non encrypted.
It won't apply to every situation, but might provide some building blocks you can adapt to your environment.
reply