I used to get packets in wireshark, where http protocols were not encrypted but recently every packet with application data in my wireshark captured packets is ssl encrypted. There is not even one packet where I can see http protocol(ie when I filter with http, the result is always empty). It's protocol is always TLsv1.1 and the data is encrypted, for every packet thats supposed to be http. So basically I cannot see the header information. Can anyone reply as to why this is happening. Thanks! asked 30 Jun '13, 12:40  athina |
3 Answers:
Is the traffic always between yur IP address and one specific remote address? Then are you running some kind of SSL-VPN software? answered 30 Jun '13, 12:47  SYN-bit ♦♦ There are multiple ip addresses from/to where the packets are encrypted. Even when I refresh my browser with websites like google.com, yahoo.com, etc, the dns packets are captured but there is no http protocol packet, only ssl encrypted packets which does say that the application data is http, but that data is encypted and I cannot read the header info. I have typed some of those ips into my browser and it took me to websites like google.com. So basically every http protocol is being ssl encrypted. I have no VPN, but I did run a server on this computer(now turned off). Any ideas why this might be happening? (30 Jun '13, 21:40) athina
See my answer. (30 Jun '13, 23:20) Guy Harris ♦♦ |
Because whatever software on your computer is contacting those hosts (browser, or whatever) either
In case 1, all your HTTP traffic will be over SSL. In case 2, the initial HTTP request will not be over SSL, and the response to it will not be over SSL, but that response will just tell the browser (or other client software) to use an https:// URL, and all subsequent HTTP traffic will be over SSL. For example, my Facebook account is set up to switch to SSL by default, so even if I go to http://www.facebook.com, it will switch to https://www.facebook.com. answered 30 Jun '13, 23:19  Guy Harris ♦♦ I think its not 1 because: the browser shows https in the address bar for some and not for others. Besides I have tried both safari and chrome. For example after the site in loaded the address bar shows both kinds of url : a) http://www.nytimes.com/ b) https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=http://mail.google.com/mail/&scc=1<mpl=default<mplcache=2 I think it shouldn't be 2 because : If the initial http request is not over SSL then if I filtered wireshark capture with the keyword http, some result should have appeared but the result is completely empty. Is it possible that the initial ssl request happens over tcp? (01 Jul '13, 00:39) athina |
because you (probably) installed a plug-in into your browser (Firefox, Chrome) that does opportunistic encryption, like HTTPS Finder or HTTPS Everywhere The same holds true for any other browser. After a (recent) system update that browser version might try to find encrypted versions of a web site and then only use SSL/TLS to those sites. Regards answered 01 Jul '13, 02:52  Kurt Knochner ♦ |
What are the source and destination ports of the SSL packets you're seeing?
the server's port(source/ dest) is generally https(443) and my computer's (57715 , 57810, etc). The ip addresses are of google, facebook, or quora. Everything is in https mode and ssl encrypted. Any ideas as to why this is happening?