Difference between pages "Category talk:Anti-Forensic Tools" and "SSL forensics"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(New page: This category is a duplicate. ~~~~)
 
(New page: '''SSL (TLS) forensics''' is the process of capturing information exchanged through SSL (TLS) connections and trying to make sense of it in some kind of forensics capacity. == Overview ==...)
 
Line 1: Line 1:
This category is a duplicate. [[User:.FUF|.FUF]] 15:22, 18 July 2008 (UTC)
+
'''SSL (TLS) forensics''' is the process of capturing information exchanged through SSL (TLS) connections and trying to make sense of it in some kind of forensics capacity.
 +
 
 +
== Overview ==
 +
 
 +
TLS (''Transport Layer Security'') provides authentication and [[encryption]] for many network protocols, such as: ''POP'', ''IMAP'', ''SMTP'', ''HTTP''. However, it is possible to tunnel almost every TCP-based protocol through TLS using such tools as [http://stunnel.mirt.net/ stunnel].
 +
 
 +
Generally, many TLS realizations require only server to be authenticated using signed certificate.
 +
 
 +
== Data decryption ==
 +
 
 +
Data exchanged through SSL (TLS) connections can be decrypted by performing ''man-in-the-middle'' attack. Attacker can modify TLS handshake and provide new certificates (with attacker's encryption keys).
 +
 
 +
Many commercial [[network forensics]] systems can perform such an attack:
 +
* Mera Systems [http://netbeholder.com/en/products/lawful_interception.html Sleek Buster] (supports signed forged certificates)
 +
* [http://www.edecision4u.com/edecision4u/Products.html E-Detective HTTPS/SSL Network Packet Forensics Device]
 +
 
 +
As well as some open-source tools:
 +
* [http://ettercap.sourceforge.net/ ettercap] (unsupported, last version - 2005/05/29)
 +
* [http://monkey.org/~dugsong/dsniff/ dsniff] (obsolete, last stable version - 2000/12/17)
 +
 
 +
== Other information ==
 +
 
 +
The TLS protocol also leaks some significant information:
 +
* Current date and time on a TLS client and server (old versions of [[Firefox]] and [[Thunderbird]] leak system's uptime);
 +
* Original data size.
 +
 
 +
== Links ==
 +
 
 +
* [http://rfc.net/rfc2246.html RFC 2246 (TLS 1.0)]
 +
* [http://rfc.net/rfc4346.html RFC 4346 (TLS 1.1)]

Revision as of 17:12, 19 July 2008

SSL (TLS) forensics is the process of capturing information exchanged through SSL (TLS) connections and trying to make sense of it in some kind of forensics capacity.

Contents

Overview

TLS (Transport Layer Security) provides authentication and encryption for many network protocols, such as: POP, IMAP, SMTP, HTTP. However, it is possible to tunnel almost every TCP-based protocol through TLS using such tools as stunnel.

Generally, many TLS realizations require only server to be authenticated using signed certificate.

Data decryption

Data exchanged through SSL (TLS) connections can be decrypted by performing man-in-the-middle attack. Attacker can modify TLS handshake and provide new certificates (with attacker's encryption keys).

Many commercial network forensics systems can perform such an attack:

As well as some open-source tools:

  • ettercap (unsupported, last version - 2005/05/29)
  • dsniff (obsolete, last stable version - 2000/12/17)

Other information

The TLS protocol also leaks some significant information:

  • Current date and time on a TLS client and server (old versions of Firefox and Thunderbird leak system's uptime);
  • Original data size.

Links