SSL (TLS) forensics is the process of capturing information exchanged through SSL (TLS) connections and trying to make sense of it in some kind of forensics capacity.
TLS (Transport Layer Security) provides authentication and encryption for many network protocols, such as: POP, IMAP, SMTP, HTTP. However, it is possible to tunnel almost every TCP-based protocol through TLS using such tools as stunnel.
Generally, many TLS realizations require only server to be authenticated using signed certificate.
Data exchanged through SSL (TLS) connections can be decrypted by performing man-in-the-middle attack. Attacker can modify TLS handshake and provide new certificates (with attacker's encryption keys).
Some commercial network forensics systems can perform such an attack:
- Mera Systems Sleek Buster (supports signed by a trusted CA forged certificates)
- E-Detective HTTPS/SSL Network Packet Forensics Device
- Expert Team 3i Tactical System
As well as some open-source tools:
- ettercap (unsupported, last version - 2005/05/29)
- dsniff (obsolete, last stable version - 2000/12/17)
The TLS protocol also leaks some significant information:
- Current date and time on a TLS client and server (old versions of Firefox and Thunderbird leak system's uptime);
- Hostname being accessed ("server_name" extension);
- Original data size.
Tor tunnels application data through TLS connections and it is not possible to decrypt such connections by performing traditional man-in-the-middle attack. Tor also sends application data in chunks to make it harder to guess exactly how many bytes users are communicating.