Is it 'safe' to permanently trust the Fiddler root certificate?

Question

I'm looking to inspect HTTP traffic sent and received by a WFC client using Fiddler. To do this I've added the Fiddler Root Certificate to the Windows certificate store.

My question: is there are any risk of leaving this certificate in the Windows store ready for when I may need to test again? Could an attacker take advantage of the fact that it's there? Should I remove it once I've finished testing?

Answer 1

As the certificate is uniquely generated by Fiddler for my system, even if an adversary knew I had such a certificate installed, there isn't a way for them to take advantage of this. If they knew the unique private key of the certificate they could potentially use this against me, for example, via a man-in-the-middle attack, but to do that they'd need to infiltrate my system to get the certificate, at which point there would be no need for the man-in-the-middle attack.

Having said that, just to be extra safe, I've installed the certificate in a separate Firefox profile specifically for use with Fiddler, so that I don't have the certificate in my system when doing general web surfing.

Answer 2

From the Fiddler FAQs

What’s the Risk?

Many security folks are worried that, if a user configures Windows to trust Fiddler’s root certificate, that user could have their traffic intercepted and decrypted by any other Fiddler user. They assume that Fiddler is sharing the same root certificate across all installations.

Fear not! Every Fiddler root certificate is uniquely generated, per user, per machine. No two Fiddler installations have the same root certificate. The only way for a Fiddler user to be “spoofed” by a bad guy is if that bad guy already is running code inside the user’s account (which means you’d already be pwned anyway).