I have the following question regarding the decryption of SSL traffic. The topol
ID: 660015 • Letter: I
Question
I have the following question regarding the decryption of SSL traffic. The topology that I have in mind is like this: User-------MitM Proxy--------WebServer In the environment described earlier there is already a commercial proxy which is doing a man in the middle attack by replacing the original SSL certificate of the server with it's own. Can I decrypt the SSL traffic between the user and the proxy and send them un-encrypted to a forensics/sandbox solution? I have a tap device between the users and the proxy and the public and private key of the mitm proxy are available.
Explanation / Answer
As Andrey points out in the comments; this is only valid if the user machine already trusts the replacement SSL cert (more accurately, the proxy cert as a root cert or the proxy cert signed by a trusted root), otherwise the user will get a warning that the cert is signed for the wrong domain. In a corporate setting, the proxy cert is typically installed by a group policy by the domain admins.
Yes, absolutely. If your MitM proxy is already replacing the SSL certificate, you should be able to decrypt the traffic using the private key of the MitM proxy. Just capture the packets as if they were unencrypted (using wireshark or something) and unencrypt them at your leisure.