Wireshark provides a cool feature: decrypt ssl (https) traffic. But how is that possible? Isn’t https supposed to be private, unbreakable, provide protection against 3rd parties listening in?
Yes, and it does… most of the time. In order to decrypt the data, you need the server’s private key. Which you don’t have usually, but others might get their hands on. And this is the problem.
If someone logs your traffic (maybe for years), and later acquires the private keys, then they can decrypt all your data sent over ssl.
This can be done only if the key exchange is RSA, because this uses the server’s “constant” private key to encrypt the session key.
If https uses Diffie–Hellman key exchange, then every session key is generated and exchanged securely. Meaning the key is generated from and encrypted with random data, and not stored anywhere. This key exchange method was designed to exchange keys over insecure, public channels. So it is not possible for 3rd party to get the key, and the information used to generate and exchange the keys are temporary, and destroyed on both sides after the key exchange is over.
Diffie–Hellman key exchange is part of many Chipper Suit, but unfortunately many sites (like google, facebook) does not include, support this. As if they do not really want for you to have complete privacy…
https channel can only be established if both sides support (at least one) same chipper.
To see and edit what chippers your Firefox browser supports open ‘about:config‘, and search for ‘ssl’.
Related Articles:
http://www.netresec.com/?page=Blog&month=2011-01&post=Facebook-SSL-and-Network-Forensics