Wireshark · Ethereal-users: Re: [Ethereal-users] Seeing the data sent through ssl comunication

["Olivier Biot" <ethereal@xxxxxxxxxx>]

From: Hansang Bae

| >From: Hansang Bae
| >| 1)  Use a proxy so you can sniff from there.  Since you control
the
| >proxy, you can decrypt the packets.
|
| On 03:38 PM 8/9/2004, Olivier Biot wrote:
| >That won't work as most HTTP proxies behave as dumb data pipes for
| >encrypted HTTP (HTTPS). Typically the client issues a CONNECT
request,
| >which requests a TCP connection from the proxy to the host:port
| >specified in the URI of the CONNECT request. When the TCP
connection
| >has successfully been established, the proxy issues a 200 OK
response
| >to the client, and then the client can start *any* protocol over
this
| >TCP stream. One (and the most relevant) use is setting up a TLS,
SSL
| >or PCT tunnel between client and server (over the proxy). The proxy
| >does *not* play a role in this setup but for passing data as a
"dumb"
| >bit pipe. It is up to the client/server to use the correct
encryption.
| >Typically the client can only encrypt the traffic as the server is
the
| >only one to know the decryption key.
|
|
| I didn't mean a "run of the mill" proxy.  I meant man-in-the-middle
type.  There are proxy-like programs that can do this.  Grinder may or
may not do what the original user requested.

That'd require the proxy being able to generate signed certificates
on-the-fly during SSL/TLS handshake with the private key of a
certification authority (CA) which is trusted by the end-user. Unless
no endpoint identity verification is performed, which is not common
practice.

The point of end-to-end security is, well, that it provides end-to-end
security. Shouldn't this be true, then the entire SSL/TLS story would
be flawed and all our HTTPS and other secure tunnels would be
compromised. I am convinced that this isn't true.

Best regards,

Olivier