Decrypt SCTP-DTLS Traffic in WebRTC in Chrome - google-chrome

I'm trying to inspect the pakets sent over the sctp connection of webrtc datachannels in chrome on my local machine. There isnt really much information which I found about decrypting DTLS-Traffic (e.g. through wireshark). Is there a way to access the certificate generated for the peerconnection? If not, how would one decrypt the traffic by other means? (e.g. some mitm proxy, mostly those are for TLS only though).

the certificate alone won't help, Chrome typically uses DTLS with perfect forward secrecy.
The --disable-webrtc-encryption (see http://peter.sh/experiments/chromium-command-line-switches/) might work in canary.

Related

Why can't I access google with http3/quic?

Chrome has turned on the enable-quic switch ,but when i But when I visit google, it still uses http2 protocol ,how can I use the browser's http3/quic feature?
enable-quic
http2 protocol
Since HTTP/3 is still a relatively new protocol, browser may first use HTTP/1 or HTTP/2 when connecting to a server. The server may advertise support of HTTP/3 for subsequent connections. However, even after several requests, the browser may end up using HTTP/2 and TCP if QUIC handshake is delayed for some reason.
You may find more information here
https://www.smashingmagazine.com/2021/09/http3-practical-deployment-options-part3/
You can try to force Chrome to use QUIC protocol on a specific domain by starting chrome from the command line
chrome --origin-to-force-quic-on=www.example.org:443

Error "ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY" in Google Chrome while accessing locally hosted SPA

I've a locally hosted SPA (Kestral/.Net core). It is using a self signed certificate for HTTPS communication (generated through Server Certificates in windows 10).
It works well with IE11, however when accessed from Google Chrome, shows up error - ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY.
Any clues on what could be done to overcome this?
Troubleshooting done so far:
Custom cipher suites order.
Disabling HTTP2 through windows registry.
To use HTTP/2 you must be using TLSv1.2 and cannot use a number of blacklisted, less secure ciphers. This basically means you must use one of the GCM ciphers like TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (though other newer ciphers like TLS_CHACHA20_POLY1305_SHA256 are also support).
If you only have older ciphers configured then Chrome will fallback to HTTP/1.1 or, if that is not available, it will error with that error message.
Adding if it helps anyone digging on same thing, for Kestral setting Protocol Version to http1 looks to be the way to overcome this issue, as Cipher suite doesn't looks to be configurable in kestral at least with .Net core 3.1.

why does Google Chrome only warn about certain unencrypted connections?

Compare the 2 screencaps below.
Each is to a different unsecured page where a login can be performed.
Why does Chrome warn only in the first instance and not the second?
I'm assuming it is something to do with encryption... and if yes, what exactly?
Note:
the first screencap is from a visit to: http://test.idempiere.org/
the second screencap is from a visit to a PrestaShop installation on a private VPS. PrestaShop is a popular e-Commerce CMS
If you use http connections you are always prone to many attack vectors, but they are still so used that no browser warns about them yet (although, see Mozilla proposal for deprecating unencrypted http). But you are right, those connections are definitely insecure.
However, currently HTTPS connections are checked against "known good" Certificate Authorities. If your connection does not have a trusted certificate chain, it is frowned upon.
Thankfully, these days you can get a free HTTPS validation thanks to EFF's initiative Let's Encrypt.
First the SSL Certificate is created by PrestaShop, not by an SSL company, your os does not know the issuer of the SSL Cert. And the cert is expired. You can make a certificate at letsencrypt, if you want to make it free: https://letsencrypt.org/.
That was my browser say(in german)

Force HTTP/2 With Chrome or Safari

Is there some way to tell Chrome or Safari to use HTTP/2 on a specific URL/adress/server?
I mean by changing some setting or such, not by implementing ALPN on the server socket or whatever might be needed. I want to try HTTP/2 on a server socket without waiting till I can have ALPN negotiation to tell the browsers to use HTTP/2.
Clarification: I have HTTP/2 enabled on Chrome (aka SPDY/4 via chrome://flags). It still doesn't probe my (TLS or plaintext) socket for HTTP/2 via Upgrade. I want to force Chrome to either do this, or assume HTTP/2 right off the bat.
Also, I've read that Chrome won't support HTTP/2 over plaintext connections, even though the HTTP/2 standard allows it. But maybe there's some way around that.
HTTP/2 over TLS and HTTP/2 over TCP have been defined as 2 different protocols, identified respectively by h2 and h2c.
Chrome supports h2 only at this time.
If you have a server that implements only h2c, the easiest way to connect Chrome to it is to use a reverse proxy such a nghttpx in HTTP/2 bridge mode in front of your server
As far as I know this is most likely a browser-wide setting.
In chrome you can enable SPDY4, see chrome://flags
As far as safari goes support has been added since version 8.
In the end it's all about the knowing whether or not you speak the same language as the server. If you are using http you can check this by using the Upgrade header. There are some plugins out there you can use with chrome to give you an indication of whether or not the address your visiting supports http/2.
For more info on the http/2 protocol itself you should check out https://http2.github.io/http2-spec/#starting

Deactivate SSL verification in Firefox/Chrome

I was wondering if it is possible to deactivate SSL verification in Chrome or Firefox, so that I can use Wireshark to trace the communication between a Server with self-signed certificate and a web app. Unfortunately, most of the hints I found were already out-dated or do not work at all.
The problem is that accepting the certificate in Firefox or Chrome results in a different SSL handshake. Wireshark can't decrypt this stream anymore.
When I use a native written app (with Java) and disable SSL verification, Wireshark is able to decrypt the stream correctly.
Does anyone know how to decrypt SSL streams with Firefox or Chrome?