SSL — SSL/TLS Decryption Module¶
SSL module is currently only available in beta and for macOS 10.12 minimum.
You can enable beta updates inside Debookee in
Menu Debookee -> Preferences -> General -> Propose beta version updates
Then force update with
Menu Debookee -> Check for Updates...
Check out this blog post for more informations.
By default, TLS decryption is not enabled. Debookee can run in 3 modes:
- No TLS decryption
- TLS decryption for targets only
- TLS decryption for Own Traffic and all the intercepted targets
How it works¶
- We intercept the client HTTPS connection (Client->Debookee)
- Create it’s own HTTPS connection to the server (Debookee->Server)
- Retrieve some data from the server & decrypt them
- Create on-the-fly a fake certificate impersonating the server, created from Debookee’s Certificate Authority (CA)
- Send the fake certificate to the client and establish Client->Debookee TLS connection
- Send the data to the client
Clients SSL/TLS warnings/failures¶
Most HTTPS clients (browsers, applications, email clients…) will detect Debookee’s fake certificates and will behave differently, depending their capabilities.
A solution to avoid those warnings can be the installation of Debookee’s Certificate Authority on the client.
By default, without Debookee’s CA, reactions to the fake certificate could be:
- Clients present a warning and propose to accept the fake certificate
- Clients present a fatal alert and deny the connection in case of Key Pinning
- Clients TLS connections fails silently
Some clients implement HTTP Public Key Pinning, a security mechanism which prevents impersonation of a TLS server.
Key Pinning can be strict or not. When strict, even if the CA is installed, the client won’t accept to establish the impersonated TLS connection. In a future release, Debookee will implement a white-list to avoid decryption of some connections involving strict Key Pinning.