I would like to read the information a java application in firefox is sending to a website over an ssl connection.
I am using WireShark, and I believe that if I can somehow tell tell wireshark what encryption key firefox is using, then wireshark will be able to decrypt the ssl messages.
Then I will exactly what information this website is getting about my computer.
My apologies if the question is vague ... any pointers on where to start looking for clues would be appreciated.
Not really programming related.
However in order to do this you ll need the certificate for the site your application is connecting to, both the public and the private key parts - so if it s not a site you own then you d not going to be able to do it. If you control the receiving web site then simply follow the instructions on the wireshark wiki.
Assuming that you re not trying to do this programmatically, but instead just want to view headers whilst debugging, you could use Charles:
There s a fair bit of information here about how to set it up to decrypt SSL traffic:
http://www.charlesproxy.com/documentation/using-charles/ssl-proxying/
The java application would encrypt all information with the server s public (SSL) certificate (at least as far as you are concerned). For all practical purposes the only way to decrypt this afterwards is to know the server s private key which you apparently do not have and therefore there is no way that you can decrypt it.
To answer your comment about whether to use your computer s private key:
If this is a "normal" SSL connection, the client (java app) will contact the server and receive its public key, verify it s valid (signed by a trusted CA) and then use it to negotiate a symmetric key that is used for encryption.
Public/Private keys work in a way that everything encrypted by one key can only be decrypted by the other - i.e. everything the Java app encrypts using the server s public key, can only be decrypted using the private key - which never leaves the server.
SSL/TLS supports client certificates, in which the Java app can have its own key pair and use its private key to sign the contents in order to verify the authenticity of itself. However even if the Java app does that (doubtful) it does not help as the data will still be encrypted so that only the server can decrypt it.
Background reading: http://en.wikipedia.org/wiki/Transport_Layer_Security and http://en.wikipedia.org/wiki/Public-key_cryptography
I have SSL on my website....when the user logs in from a http page the form action is sent to https page, would this still secure the posted data? Or would it be better to have the form and the page ...
Iam using HTTPClient 4.0 to connect a remote server and transfer file using HTTPS. When i tried to connect i get the exception "java.net.SocketException: Unconnected sockets not implemented". Please ...
We ve deployed our rails app to EC2. In our setup, we have two proxies on small instances behind round-robin DNS. These run nginx load balancers for a dynamically growing and shrinking farm of web ...
I m using the Spring RESTTemplate on the client side to make calls to a REST endpoint. The client in this case is a Spring app and Tomcat is the servlet container. I m running into issues making a ...
As far as I understand, https is http plus SSL/TLS. What do I need to do if I want to add 3 more parameters for the header? I found a file inside Mozilla s NSS - ssl3ext.c, but I don t understand it ...
Consider the following sample code which uses a TrustManager to log whether an outgoing connection used a valid certificate (but accept the connection in all cases): import java.security.*; import ...
I m trying to use Hudson (which uses SVNKit) to access a Subversion repository that requires a client certificate to access it. I can access the same repository using the same client certificate via ...
I m trying to send emails from a python script with smtplib, and it works with no problems with smtp through Exchange 2003, but with Exchange 2007 shows: SMTPException: No suitable authentication ...
