How to get private key used to decrypt HTTPS traffic sent and received from my own browser with wireshark

Wireshark is a very powerful tool. In most cases, the (addon-less) debug consoles of the browsers firefox and chrome should be enough. Both have network monitors that are sufficient most time. Be aware that the firefox' monitor doesn't support websockets yet.

If you still wanted to use wireshark, then consider utilizing the SSLKEYLOGFILE file, more help at this and this, and your linked wireshark wiki page.


The private key is private to the webserver. If you don't control the webserver you shouldn't be able to obtain it. The certificate only holds the public key so it wouldn't be of much use to you. You could try to setup a proxy https server and do a man-in-the-middle attack - in that case you would have the key of your proxy server.

Are you trying to crack the protocol from a software or you are normally using a browser to access the service?

In the second case you can use the temporary for the session by configuring Firefox to log the key to a file, as it was suggested by user10008: look for SSLKEYLOGFILE in the wiki page you linked, and the links that user10008 posted.


You can't, unless you have administrative control over the 3rd party web server, or retrieve the certificate via some other nefarious means. SSL/TLS is reliant upon the private certificate staying private.

Furthermore, even if you had the server's private key, you might not be able to decrypt traffic from an earlier session if Perfect Forward Secrecy was used. In that case you would have to know the specific private key used for your single session.

In principle, because you are the client, you are privy to the pre_master_secret which is what you need to derive the master_secret. The master_secret is the symmetric key that's actually used to encrypt your session. As @pqnet said, there are ways to utilise this in FireFox and Chrome, although it is dependant upon the client software, and I'm not sure about Flash. However, there are more trivial methods to inspect your own HTTPS traffic...

Local Proxies

Since it is your own connection, there is no reason why you can't pass the website through a proxy server. Many proxy servers are configured to allow SSL-pass-through, which still gives you end-to-end encryption, but you can break this by terminating your connection at the proxy server (if you trust the proxy's SSL certificate). The proxy will then establish it's own SSL connection to the 3rd party website, passing along any traffic you send. Companies sometimes use the same method to inspect their users' outgoing HTTPS traffic (that's a contentious one). Essentially it's a man-in-the-middle.

Browser <---> Local Proxy <---> Website
          ^                 ^
        HTTPS             HTTPS

Local proxies run on your own machine, and allow you to inspect and even modify traffic that passes through them. If an attacker tried to do this, the user would see a browser warning to show that it's not received a valid certificate for the requested website. However, you can setup your machine to trust the local proxy's CA certificate.

Two popular local proxies that work with HTTPS traffic are:

  • Burp Suite
  • Fiddler

Burp Suite has AMF serialisation support built-in. Fiddler looks like it has an extension.

Tags:

Wireshark

Tls