SSL forensics - Revision history

.FUF: added Category:Network Forensics

2008-07-20T18:54:28Z

added Category:Network Forensics

.FUF at 16:42, 20 July 2008

2008-07-20T16:42:33Z

.FUF: New page: '''SSL (TLS) forensics''' is the process of capturing information exchanged through SSL (TLS) connections and trying to make sense of it in some kind of forensics capacity. == Overview ==...

2008-07-19T22:12:28Z

New page: '''SSL (TLS) forensics''' is the process of capturing information exchanged through SSL (TLS) connections and trying to make sense of it in some kind of forensics capacity. == Overview ==...

New page

'''SSL (TLS) forensics''' is the process of capturing information exchanged through SSL (TLS) connections and trying to make sense of it in some kind of forensics capacity.

== Overview ==

TLS (''Transport Layer Security'') provides authentication and [[encryption]] for many network protocols, such as: ''POP'', ''IMAP'', ''SMTP'', ''HTTP''. However, it is possible to tunnel almost every TCP-based protocol through TLS using such tools as [http://stunnel.mirt.net/ stunnel].

Generally, many TLS realizations require only server to be authenticated using signed certificate.

== Data decryption ==

Data exchanged through SSL (TLS) connections can be decrypted by performing ''man-in-the-middle'' attack. Attacker can modify TLS handshake and provide new certificates (with attacker's encryption keys).

Many commercial [[network forensics]] systems can perform such an attack:
* Mera Systems [http://netbeholder.com/en/products/lawful_interception.html Sleek Buster] (supports signed forged certificates)
* [http://www.edecision4u.com/edecision4u/Products.html E-Detective HTTPS/SSL Network Packet Forensics Device]

As well as some open-source tools:
* [http://ettercap.sourceforge.net/ ettercap] (unsupported, last version - 2005/05/29)
* [http://monkey.org/~dugsong/dsniff/ dsniff] (obsolete, last stable version - 2000/12/17)

== Other information ==

The TLS protocol also leaks some significant information:
* Current date and time on a TLS client and server (old versions of [[Firefox]] and [[Thunderbird]] leak system's uptime);
* Original data size.

== Links ==

* [http://rfc.net/rfc2246.html RFC 2246 (TLS 1.0)]
* [http://rfc.net/rfc4346.html RFC 4346 (TLS 1.1)]

← Older revision		Revision as of 18:54, 20 July 2008
Line 34:		Line 34:
	* [http://rfc.net/rfc2246.html RFC 2246 (TLS 1.0)]		* [http://rfc.net/rfc2246.html RFC 2246 (TLS 1.0)]
	* [http://rfc.net/rfc4346.html RFC 4346 (TLS 1.1)]		* [http://rfc.net/rfc4346.html RFC 4346 (TLS 1.1)]
		+
		+	[[Category:Network Forensics]]

@@ Line 11: / Line 11: @@
 Data exchanged through SSL (TLS) connections can be decrypted by performing ''man-in-the-middle'' attack. Attacker can modify TLS handshake and provide new certificates (with attacker's encryption keys).
-Many commercial [[network forensics]] systems can perform such an attack:
+Some commercial [[network forensics]] systems can perform such an attack:
-* Mera Systems [http://netbeholder.com/en/products/lawful_interception.html Sleek Buster] (supports signed forged certificates)
+* Mera Systems [http://netbeholder.com/en/products/lawful_interception.html Sleek Buster] (supports signed by a trusted CA forged certificates)
 * [http://www.edecision4u.com/edecision4u/Products.html E-Detective HTTPS/SSL Network Packet Forensics Device]
@@ Line 23: / Line 23: @@
 The TLS protocol also leaks some significant information:
 * Current date and time on a TLS client and server (old versions of [[Firefox]] and [[Thunderbird]] leak system's uptime);
 * Original data size.
 == Links ==