SSL Decoding
Nowadays, more and more Internet and Intranet traffic is using encryption making analysis of malicious traffic as well as troubleshooting a lot more difficult. Decoding of SSL traffic can be done offline, using a packet capture of the traffic and SSL private keys (if they can be obtained) or online via a run-time SSL proxy. We developed RedSplice to help in this aspect by implementing both passive and active SSL traffic decryption.
Passive Mode SSL Decoding
SSL passive mode has been developed for decoding traffic that was captured directly from the network wire without interfering with the original client-server traffic and is useful in the following cases:
- Decrypting traffic where the private key used for encrypting the information is available.
This is useful for situations where the traffic in the network is relayed through a transparent SSL proxy and the user has access to the private key used by the proxy for encrypting the traffic sent to the clients.
- Decrypting traffic in situations where the session keys are available.
This scenario applies for traffic generated by Mozilla Firefox and Google Chrome browsers in debug mode. The browsers will dump SSL session keys in NSS (Network Security Services) log format. The file is created in the path specified by the SSLKEYLOGFILE environment variable.
- Decrypting traffic encrypted using a PSK algorithm
Active Mode SSL Decoding
SSL Active Mode is available only for traffic generated from the local host machine. This mode involves using a local SSL/TLS proxy that is included with RedSplice. Depending on the ports configured, the SSL/TLS traffic will be redirected through the proxy which provides RedSplice with the SSL keys required for decrypting the traffic.
Download a Trial