Hacker News new | past | comments | ask | show | jobs | submit login

> I could watch each command and response going over the wire.

AFAIK, Wireshark supports decrypting TLS traffic if you give it the private keys.

> When a POP3 mailbox got hung up on a single huge message you could just telnet in

Use “gnutls-cli” or “openssl s_client” – transparent TLS for your terminal. Both those commands also have options supporting protocols’ use of STARTTLS.




For a modern TLS session Wireshark will need the session keys, which will need to be exported separately for each connection made because they change every time.

Private keys in modern TLS are used only to prove who you are, they aren't used to decrypt anything. Instead random ephemeral secrets are chosen by both sides and a Diffie-Hellman (ECDH) key agreement method is used to agree a shared secret based on those ephemeral secrets.

As a result of this design the connection is encrypted and delivers integrity and confidentiality protection before either side knows who they're talking to.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: