I would like to open a browser on Windows, go to the HTTPS site and follow the sequence of actions when capturing packets using Wireshark. Then I want to use encrypted packet capture to view the decrypted HTTP traffic. I know many ways to do this (listed below) if you abandoned the browser, have access to the server or add MITM, but none of them work if you are limited by the scenario described above. Here are my typical approaches:
Server. For sites on which I have a server private key, use Wireshark's built-in SSL encryption.
MITM: an SSL proxy server (for example, Burp) allows you to view decrypted traffic, but this requires the use of a different certificate and key pair than the one used by the server.
Browser: openssl s_client can connect, make requests and export the main secret, but it does not display related web pages or run javascript to calculate subsequent request parameters.
Is there a way to export the main secret from a βnormalβ browser so that I can use it to decrypt the packet capture of the browser session later?
For example, does the SSL / TLS state persist on disk when you close your browser? If so, how can I access it? Is it accessible in memory while the browser is working (and if so, how will I find it)?
Or are all SSL status data stored on the OS (Windows) and not directly accessible?
Alternatively, is there a way to force the browser to use a specific master secret (and any other related SSL status data, such as session ID, etc.) for a particular HTTPS connection? If so, I can set up an SSL session using s_client, and then transfer the key data to the browser and open a new connection in the same session. This will achieve the same goal in various ways.
source share