Seeking explanation of occurences during Wireshark SSL/TLS decryption

Question

Currently using:

• OS: Official Kali Linux 2019.4

• Browser: Chromium Version 76.0.3809.100 (Developer Build) built on Debian bullseye/sid, running on Debian kali-rolling (64-bit)

• Wireshark 2.6.10 (Git v2.6.10 packaged as 2.6.10-1)

• Session keys and capture: https://anonfile.com/J6n7we57n6/keys_and_cap_tar

I decided to begin the long arduous process of learning a tool like Wireshark about about 2 days ago. My primary interest was/is using Wireshark to view the traffic between my computer and websites and I immediately encountered SSL/TLS encryption for the first time. From my googling foray, I saw that there are two common methods for approaching the decryption: using the server RSA key and using the SSLKEYLOGFILE method. Of course, I chose the latter.

I stumbled upon this Youtube tutorial on setting it up for session by session capture and decryption: https://www.youtube.com/watch?v=X4aT63h_fjk. I set a terminal instance environment variable, opened Chromium via that terminal instance after opening Wireshark, accessed 5 sites:

• Wireshark.org
• Youtube.com
• Deviantart.com
• Pizzahut.com
• Bitstamp.net

(not necessarily in this order)

Nothing more than just accessing their main pages. Then I stopped Wireshark, saved the capture, configured the preferences so that it would use the SSLKEYLOGFILE generated by the session, reopened the capture, and set the following display filter:

• ip.src==10.0.2.29 and (http contains "GET" or http2)

I expected to see a GET for each site main page that I loaded but I only found one (Bitstamp) in HTTP1.1 and two (Pizzahut and Youtube) in HTTP2. So I repeated the procedure but this time just for accessing the main page of Wireshark.org. Where I expected to see an HTTP2 GET that had somehow escaped the first capture, I found none. I assume that the situation will be similar if I repeated the procedure a third time for Deviantart.com. Additionally, it seems that Wireshark is only decrypting the HTTP2 headers; data is still arriving in TLS record layers (for both captures done).

So I led another foray into Google and found this post here on SU.

• Decrypting TLS Browser Traffic With Wireshark - Body is still encrypted

In light of my findings, I have a number of questions:

1. Is there really no way of using Wireshark to decrypt SSL/TLS without the server RSA?
2. Why is it that Wireshark is capable of decrypting headers using the SSLKEYLOGFILE but not the rest of the data?
3. [A little unrelated to Wireshark but:] Why is it that Wireshark picked up on an HTTP GET to Bitstamp and HTTP2 GET requests to Youtube and Pizzahut but none to Wireshark(.org) and Deviantart?

I have downloaded Fiddler in the meantime for viewing HTTPS traffic in case anyone was planning to suggest it but I appreciate the thought as well as any help!

Answer 1

An alternative to exporting an SSLKEYLOGFILE from your browser is to run the HTTPS traffic through a TLS proxy, such as PolarProxy, that generates a PCAP file with the decrypted traffic.

You can configure iptables to forward all traffic for user with uid 1000 to a local PolarProxy service like this:

sudo iptables -t nat -A OUTPUT -m owner --uid 1000 -p tcp --dport 443 -j REDIRECT --to 10443 

This will let you analyze the decrypted HTTPS traffic in Wireshark as if it was unencrypted http or http/2 running on TCP port 80.

You can even use Wireshark to analyze the traffic in real-time by streaming the PCAP with decrypted TLS traffic directly to Wireshark like this:

./PolarProxy -p 10443,80,443 --certhttp 10080 -w - | wireshark -k -i - 

Finally, PolarProxy is developed by me. So please feel free to let me know if you have any questions about the tool.