decrypting ssl,tls

Hello,
i read over google that i can decrypt the ssl and tls traffic with wireshark
so i use port mirriong on my router and route all traffic to wireshark it' will help ?
is there any way to do i t?
thanks.
Amin El-ZeinAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ashok DewanFreelancerCommented:
Check out my video on youtube
https://www.youtube.com/watch?v=PDheRUu5Hwc
  you must read comment section also
When I made this video, gmail website used to different method then Diffie-Hellman. I didn't research on it as busy in programming. Ensure the use of a Diffie-Hellman Ephemeral (DHE/EDH) or RSA Ephemeral cipher suite is not negotiated between the two hosts. This is indicated by the use of a ServerKeyExchange message. There is no way to decrypt data where ephemeral ciphers are used.
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
If that would work it would be very strange (and dangerous). You need the negotiated keys to be able to decrypt traffic, and only the endpoints know about that keys.
Ashok DewanFreelancerCommented:
I decrypted it long ago.
Now, I use burp tool to do same.

Note: Decryption is not possible unless you have private key.
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

Dr. KlahnPrincipal Software EngineerCommented:
i read over google that i can decrypt the ssl and tls traffic with wireshark

Sure, as long as you know the key.  Without the key ... well, not "impossible", but certainly "impractical."
Amin El-ZeinAuthor Commented:
Ashok Dewan: this is man in the middle i want to do it without import any certificate , i can do it using squid,tmg...
so with burp tool will done ?
thanks.
Ashok DewanFreelancerCommented:
Yes, Burptool will do it easly no need for pfsense.
Amin El-ZeinAuthor Commented:
hello,
i see the burp proxy but it's need a certificate too or i can just do it by routing the traffic through it ?
thanks.
Ashok DewanFreelancerCommented:
Burp tool can create it's own certificates, just export the self-signed certificate and import to browser to avoid any error.
Amin El-ZeinAuthor Commented:
i dont want to show the client any error and i cant import any certificate to any computer
it's like ssl sniffing
thanks.
arnoldCommented:
man in the middle for secure connection requires a certificate that will be presented to the user accessing the site but instead of terminating at the destination, the ssl connection terminates on your proxy which opens the connection to the destination.
Amin El-ZeinAuthor Commented:
so the burp tools it will not working becuse of that i am doing a port mirroring and i want to use wire shark
so any details ?
arnoldCommented:
What are you after? Port mirroring you can decode and capture unencrypted packets.
Amin El-ZeinAuthor Commented:
any solutions for that ? how the governments decrypt this packets !
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
What?
If you cannot use man-in-the-middle (speak SSL Proxy), and run WireShark or similar on the proxy device, there is no "solution for fhat". As has been said multiple times you need to have confrol over the key to het access fo content.
arnoldCommented:
What makes you think the Government does? This is why all the Google, Yahoo went to secure connection as prior searches and queries were in the open while the authentication was the only thing that used secure communication.

What exactly are you trying o achieve. If you want to block your users from being able to access destination without your knowledge/approval do what many firms where secrecy is important, block all ports such that the user must go through an internal proxy that has a trusted certificate and matches any requested URL. This is the proxy setup that is in the middle and all traffic passing through it can be captured and decoded using wireshak because the proxy is the end point of the request and has the encryption key and is the requesting entity to the requested destination...
These firms deny the users even the option to establish an outgoing VPN.....
Dmitri FarafontovLinux Systems AdminCommented:
You can get an appliance like WebSense or something and it will do it for you. However as mentioned before your users might get an SSL ERRORS if you are not careful.
Amin El-ZeinAuthor Commented:
Hello web sense should install  certificate on client too.
thanks.
Dmitri FarafontovLinux Systems AdminCommented:
That's right. That is how the protocol works.  No way around that.
Amin El-ZeinAuthor Commented:
whats about sslstrip+ ?
Dmitri FarafontovLinux Systems AdminCommented:
While a proof of concept exists, we are unable to assist you in setting it up for ethical reasons. We can only point you in the direction of the GitHub, where it's published
https://github.com/LeonardoNve/sslstrip2/blob/master/README.md

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.