There are some legitimate reasons to eavesdrop the HTTPS traffic, such as your employer or your government.
If you suspect your network traffic is been monitor, how would you go about doing forensic analysis of captured network traffic from a suspected MITM attack?
Here's the summary of the articles that shows you how:
- Extract the X.509 certificates (with *.cer) from the captured SSL traffic with NetworkMiner.
- Inspect the extracted files.
- Verify the IP and DNS
- Look for any self-signed cert, revoked cert and non-trusted CA signing cert.
- Verify MD5 fingerprint of an SSL cert with OpenSSL
$ openssl x509 -inform DER -in mail.google.com.cer -noout -fingerprint -md5
MD5 Fingerprint=52:12:A2:B1:27:E3:BB:CC:E5:F5:AA:BD:A1:A1:E6:F8
More references:
- Network Forensic Analysis of SSL MITM Attacks
- Facebook, SSL and Network Forensics
- Webmail Information Leakage