Extracting your SSL secret keys from your browser

SANS Diary writer Sally Vandeven reports on how easy it is to extract the secret keys your browser (Chrome and Firefox) uses for SSL connections.


It involves setting an environment variable before you open your browser which logs all the keys to a logfile for you.  Although this has some security implications, it does require prior access to your machine to set the variable and then reap the logs after your session.  If someone has that level of access, your credentials are probably being captured with a keylogger or other nefarious methods.  It is something to watch out for, though.

I do see this as a great troubleshooting tip for encrypted web sites where you do not possess the server key to decrypt the data.  Wiresharks decryption ability has definitely helped with many cases, and this is just one more great tool idea for your arsenal.