Debugging HTTPS traffic
There are times when you work with SSL traffic. Your website might be protected with a certificate so that traffic between you and the client is secure. At times like this, being a developer is troublesome. Browser cache settings need to be analyzed by looking at the HTTP headers. Encoding / Content type may need to be analyzed to ensure that a particular page is displayed correctly. These things cannot be looked into if the traffic is secure. There are situations under which the environment is secure but you must still sniff the data. So how do you manage this ?
Tools like Charles (A debugging proxy) help you do this. Charles allows you to proxy to a secure connection over a protocol like HTTPS and still read the traffic. So how does it do this ? Lets have a look.
Your environment probably has a self signed certificate like the one issued below, using keytool.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | keytool -genkey -keyalg RSA -keysize 1024 -alias example.com -keystore mystore.ks -validity 9999 keytool -list -keystore ./mystore.ks -v Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry Alias name: example.com Creation date: Dec 21, 2009 Entry type: keyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=www.org.com, OU=Org, O=SomeCompany, L=Somewhere, ST=Someplace, C=US Issuer: CN=www.org.com, OU=Org, O=SomeCompany, L=Somewhere, ST=Someplace, C=US Serial number: 4b2ef9e0 Valid from: Mon Dec 21 10:00:24 GMT+05:30 2009 until: Thu May 07 10:00:24 GMT+05:30 2037 Certificate fingerprints: MD5: XX:XX:XX... SHA1: XX:XX:XX... ******************************************* ******************************************* |
When a certificate like this one is presented to a web browser, it will look like so. Let’s extract the certificate and open it up.
1 | keytool -export -keystore ./mystore.ks -file ./testtex.crt -alias example.com |
Untrusted self signed certificate:
Our certificate is obviously not trusted since it is self signed. A certificate signed by a CA will not exhibit a security warning. Like the one presented by google for the gmail login page, which is shown below
Trusted certificate from google.com:
When you start a proxy that has HTTPS support, say charles for instance, it does the magic by inserting its own certificate into the certificate hierarchy. The Charles CA Certificate, now becomes the root certificate in this hierarchy, allowing it to decrypt the information that is sent between the client and server.
Modified certificate hierarchy:
Charles signs the certificate that google presents, so it will now be able to decrypt the information that is sent by the server. However the side effect is that your browser will no longer trust this certificate since the root CA is not in your trusted store.
Untrusted connection due to modified hierarchy:
You can get over the problem by importing the certificate or installing it into the MS trust store. This is one technique that proxies use to debug traffic. Know of another method / proxy software ? Leave a comment. Happy debugging 
I am using Fiddler (http://www.fiddler2.com/fiddler2/version.asp) for a while now. Although it is Windows only, since it relies on .NET, it is a pretty powerful tool. It also decrypts SSL-traffic but without the need of any user-interaction. Not quite sure how it is done…
Worth a look, if there is an Windows machine available.
I have used Fiddler too. Thanks for posting the link