TLS and Wireshark (Individual Lab)

Each individual must complete and submit their own lab work. Again, this lab shall not be done by a pair.
Bonus: If a student submits his/her lab report early, he/she may leave early upon the approval of the instructor.

Part 1: Modify the Setting of Firefox

Shutdown all browsers (i.e., Firefox and Chrome) and execute the following command from a terminal in install DOD certificates:

setup dod

Launch Firefox.

From Setup menu, change the start page to be blank.

Choose the following option:

General → Network Settting → Configure Proxy Access to the Internet → No Proxy

Uncheck the following option:

General → Network Settting → Configure Proxy Access to the Internet → Enable DNS over HTTPS

Uncheck the following options:

Privacy & Security → Forms and Autofill → Autofill addresses

Choose the following option:

Privacy & Security → HTTPS-Only Mode → Don't enable HTTPS-Only Mode

Clear all history. From the history menu:
```
Clear all history. Everything. 
```
Disable IPv6. As shown the picture below, go to about:config and set the IPv6 related options accordingly.
In about:config, set the TLS max version to TLSv1.2 as follows:
```
security.tls.version.max = 3
```

Close Firefox completely.

[40pts] Part 2: Capture TLS traffic

Set environment variable SSLKEYLOGFILE to the absolute path of a writable file and open Firefox. In particular, you can run the following commands in a terminal (don't close the terminal. Keep it open):

export SSLKEYLOGFILE=$HOME/Desktop/keylogfile.txt
firefox&

Verify that the file keylogfile.txt is created in the Desktop directory.

Launch Wireshark (see setup if you need to install it). In Wireshark, go to Edit → Preferences → Protocols → TLS, and change the (Pre)-Master-Secret log filename preference to the path from step 2.

Start the Wireshark capture.

Using Firefox, open a website https://hmpg.net

Stop the Wireshark capture.

In Wireshark, check the certificate of hmpg.net. Use the following filter:

tls.handshake.certificate

In Wireshark, check that the decrypted data (HTTP messages) is visible. Use the following filter:

ip.addr==???.???.???.???

(replace ???.???.???.??? with the IP address of hmpg.net)

Deliverables

[5pts] Screenshot of Client Hello

[10pts] Screenshot of the certificate of hmpg.net. It should show the issuer, subject, and subject public key info. For example, you should give something similar to the following:

[10pts] Screnshot of the CAs in the certificate chain. For example, you should give something similar to the following:

Answer in your lab report: Who is the CA of the certificate? Can you explain what is going on?

To answer the question, google the following keywords:

HTTPS insepection
TLS inspection
TLS break and inspect

[5pts] Screenshot of the ServerKeyExchange from hmpg.net

[5pts] Screenshot of some HTTP protocol messages between you and hmpg.net. Use the "Follow" feature to show something like the following (Note the title "End of the Internet" in the stream):

[5pts] Screenshot showing how Wireshark displays above HTTP protocol messages differently, when (Pre)-Master_Secret log filename is removed.

Answer in your lab report: How does Wireshark show the HTTP data differently?

Part 1: Modify the Setting of Firefox

[40pts] Part 2: Capture TLS traffic

Deliverables

[10pts] Part 3: Lab Report and Submission