How to Debug an HTTPS Website
As the Internet evolves with an ever increasing demand for security, websites are taking a full-HTTPS approach combined with additional features like Strict Transport Security (HSTS) and Public Key Pinning (HPKP). Websites adopting HTTP/2 for its performance benefits are also required to use HTTPS everywhere.
The growing ubiquity of using TLS (the protocol that provides the security of HTTPS, which previously was provided by SSL) is great for our security and privacy but it can hinder our ability to troubleshoot problems that require us to inspect the traffic going over the wire. The Developer Tools in modern browsers are making this much easier with each release but sometimes you need to see the network packets and HTTPS makes this tricky.
Tools like Telerik Fiddler and Charles help a lot but sometimes they change a site’s behavior and if HSTS and HPKP are in use on your site then even these tools may be insufficient.
Forward Secrecy
It used to be the case that you could capture the packets on your network using a tool like Wireshark and as long as you had the private key for your site’s HTTPS certificate, you could decrypt the traffic to see the plain-text requests and responses. However, modern browsers and web server TLS configurations are preferring to use ciphers with Forward Secrecy, e.g. ciphers using the Diffie-Hellman key exchange (DHE), which means this technique no longer functions.
Thankfully, the Google Chrome and Mozilla Firefox browsers support logging the TLS session keys specific to your requests in a file that Wireshark can then use to decrypt captured traffic between your browser and HTTPS websites. IT Security Professional Jim Shaver published an excellent article about how to do this.
Too easy
In short, the process involves defining a SSLKEYLOGFILE environment variable specifying a file in which to record the keys before you launch your web browser, then configuring the SSL protocol preferences in Wireshark to read this file. It is remarkable easy compared to many other aspects of working with TLS and has been extremely useful at Section for troubleshooting our own Section Console.
Have a read of Jim’s article, try it yourself, and relax knowing that next time your need to debug HTTPS requests on your site you have the tools you need.
