Why do Firefox and Chrome "leak" critical security information out of the browser and how can I stop it?

Why do Firefox and Chrome allow such easy leaking of these session keys?

To make it easier for developers to analyze their network captures. The first time I used this feature was when trying to understand what protocol is exactly used by the web-based noVNC. Using this functionality, I was able to decrypt the traffic in Wireshark.

I read some speculation that this was a debugging feature, but why is it left on by default? Note that other browsers do not leak the session keys.

By default no keys are logged / leaked. The feature exists for those who need it (see above).

Should I be concerned about this?

No. If someone is able to modify your system environment, you have larger issues. Not convinced? Did you know that Chrome has a --disable-web-security command line option? That disables protections such as the Same Origin Policy, allowing any website to modify your bank's website for example. What about the ability to install browser extensions which can listen to all of your HTTP requests and modify them without generating certificate errors?

Do not worry about this SSLKEYLOGFILE feature, it won't affect you and it is more likely that a browser extension will steal all your data or that someone will install a malicious certificate, perform a man-in-the-middle attack and inject advertisements.


I think the answer to this questions can only be: If you want to turn it off, try to get involved with the developers, or compile your own version and remove the option there.

Suggestion: Turning on private mode on the browser should disable this feature. Consider filing this on the bugtracker ;)

Regarding TLS/SSL safety: Remember, TLS means transport level security, SSL means secure sockets layer. Both just deal with the encrypted transport of data. What happens in the endpoint cannot be protected that way. If you do not have full control over your PC (company device, internet cafe etc) you should always consider the possibility of such a local data leak. Data needs to be decrypted inside the device to make it readable to you, and that always will be a weak point. Imagine the SSL certificate injection where all https traffic can be decrypted at your company´s firewall by simply adding a full trusted proxy certificate in your PC, and you would not even notice it.

So even if it sounds like a bad idea to make logging that easy, to me it is not a violation of the security mechanism behind.