Trying to debug a web application that is dependent on running over a secure connection is difficult. It used to be that it required you to have the private key (in RSA format) in order to do so, and for those situations, CloudShark Enterprise’s RSA Key Management system is ideal.
The alternative is to grab a “keylog” file from your browser and use that within CloudShark to decrypt the stream.
Well, it’s official; the IETF has officially deprecated SSLv3.0. This means that it’s now a protocol violation to fall back to it. This is good news, since the number and types of attacks have been on the rise for awhile now. We’d like to take the opportunity to explore how to debug web applications that use HTTPS over SSL/TLS in CloudShark.
It’s undeniable that debugging HTTP traffic is one of the most common use-cases for a packet decoder.
In CloudShark 2.5, we added the ability to use SSL key log file data in order to decrypt SSL streams in the packet viewer. But what exactly is an SSL key log file, and how do you get them so that you can do web site and web service debugging?
A key log is a log of the values used by your web browser to generate TLS session keys. Your browser does this every time, but it doesn’t do anything else with those values once they are used.
As many are aware (as it’s now become national news), a vulnerability was recently discovered in OpenSSL dubbed Heartbleed. The attack centers around the implementation of the Heartbeat extension in OpenSSL which causes a server to return the contents of memory that should be protected. This blogpost by Troy Hunt describes the vulnerability in detail: Everything you need to know about the Heartbleed SSL bug.
Being packet geeks, naturally we wanted to get a capture of the Heartbleed attack in action.
One of CloudShark’s most unique features is SSL stream viewing and rsa key management.
Watch the video. What do you do when you have certificates that you need to distribute to your team to look at encrypted data? How do you troubleshoot encrypted network traffic without having to give users access to your keys on their local machines?
CloudShark contains a unique key management system in addition to its packet capture repository.
If you don’t already know, one of CloudShark’s main features is the ability to manage RSA keys and allow those keys to be used to decrypt SSL traffic, allowing users to view encrypted data without ever having to give out your RSA keys.
But what about other types of encryption? We were recently approached about support for Kerberos in CloudShark captures. CloudShark can actually support the decryption of Kerberos encrypted data using the Wireshark preferences file that we showed you before for fixing your RTP decode settings.