Possibility to sniff HTTPS traffic on devices without installing a certificate

The entire point of SSL is its resistance to eavesdropping by man-in-the-middle attacks like the one you're proposing. If you cannot make the client device trust your self-signed certificate, then your only options are:

  • Intercept an initial HTTP request and never let the communication be upgraded to HTTPS (but this will not work if the if the client explicitly goes to an https://... URL)
  • Pretend to be the server with your own self-signed certificate, and hope that the system making the request naively accepts a self-signed certificate (which is the decision-making equivalent to a user who ignores the browser's stern warnings about a possible MITM attack in progress)
  • Check for susceptibility to known past attacks on SSL (Heartbleed, BEAST, etc.). Note that this option is most likely to be illegal, since it may require an attack on the server (which you don't own) rather than an attack on the client (which you do possibly do own)

If you have many trillions of dollars available to you, you may have a few other options:

  • Successfully compromise a worldwide-trusted certificate authority and use their secret signing key to produce forged certificates for your own keypair
  • Purchase or discover a zero-day security vulnerability in a Web client, Web server, or (most preferably) SSL/TLS library used by the client or server
  • Discover a crippling weakness in some underlying cryptographic primitive used by SSL (for example, completely breaking AES might do nicely)
  • Spend trillions of dollars on computer hardware to perform brute force attacks on intercepted encrypted communications

If you have unlimited physical access to the device, almost certainly an attack on the device's own trusted certificate store would be easier than an attack on SSL (though it may also be far from easy).


Any suggestions? Is is doable?

You need to own a certificate trusted by the device to intercept the traffic. How this can be achieved depends on how proper and open the certificate validation on the device is.

  • The device might have a buggy or non-existing validation of certificates. This is typically
    • No validation at all, in which case you could use any certificate.
    • Only validates the trust chain, but not the name inside the certificate. In this case you could use any certificate signed by a CA the device trusts.
  • The device has proper certificate checking but allows the installation of custom trust anchors. In this case you could create your own certificates and import them as trusted.
  • The device has proper certificate checking but is closed against adding new trust anchors. This is bad for you unless you get one of the trusted CAs to sign a new certificate for you which is acceptable by the device. Probably no CA will do this.

If this does not help there might be some other bugs. Look at the SSL problems from the last years and see if you could employ any of these bugs. Also you might try to use non-SSL bugs to hack the device and change the behavior of the software.


No, the very nature of HTTPS is that the certificate is required to decrypt it. You could sniff the traffic, but it would be encrypted and useless to you.

Tags:

Sniffer

Man In The Middle

Certificates

Tls

Recent Posts