Skip to content

TLS Decryption

Captured HTTPS traffic is ciphertext by default. Trace Eagle automatically matches session keys to their traffic and decrypts the ciphertext into plaintext: the decrypted requests and responses appear right next to the raw bytes, with no need to export keys separately or pair them up by hand.

  • Browsers, Electron apps, and common HTTP(S) clients: decrypt out of the box, captured as plaintext.
  • TLS 1.2 and TLS 1.3, HTTP/1.1, HTTP/2, and HTTP/3 (QUIC) are all within the coverage.
  • Apps with certificate pinning, or running in-house encryption: ordinary proxies are turned away. Switch to App-layer plaintext capture to read plaintext directly from inside the program, where pinning is no obstacle.
  • When you need to decrypt via a proxy: install a capture certificate on the target once, see Certificate management and installation. Most capture methods (direct NIC capture, targeting a specific program, app-layer plaintext capture) need no certificate at all.

A few programs expose no way to obtain their keys. For these, the per-packet / raw view can still show the encrypted traffic itself; you simply can’t see the plaintext yet. The app labels how far it can get for each specific program, so you don’t have to guess.

  1. Did you start capturing early enough? Keys are obtained when the connection is established, so you must start capturing before the traffic happens; a connection already underway when you started capturing may not be decryptable.
  2. Is the certificate installed (when decrypting via a proxy)? Confirm the capture certificate is trusted on the target, see Certificate management and installation.
  3. Is it certificate pinning? If it still errors out and won’t decrypt even with the certificate installed, pinning is the likely cause; switch to App-layer plaintext capture.
  4. Still no luck? See the FAQ.