I'm looking to inspect HTTP traffic sent and received by a WFC client using Fiddler. To do this I've added the Fiddler Root Certificate to the Windows certificate store.
My question: is there are any risk of leaving this certificate in the Windows store ready for when I may need to test again? Could an attacker take advantage of the fact that it's there? Should I remove it once I've finished testing?
It's safe as long as you understand the implications. Fiddler acts as a proxy / man in the middle to intercept and decrypt traffic between you and the target. For SSL sites, it does this by dynamically generating an SSL certificate with the name of the target.
Start Fiddler Everywhere and go to Settings > HTTPS. Click the Trust Root Certificate button. Confirm your choice and add the certificate in the popup that appears. Enable capturing the HTTPS traffic by selecting the Capture HTTPS traffic checkbox.
All generated certificates are stored in the Fiddler-running user's Windows certificate storage area. (Certificates can be seen by launching the CertMgr.
As the certificate is uniquely generated by Fiddler for my system, even if an adversary knew I had such a certificate installed, there isn't a way for them to take advantage of this. If they knew the unique private key of the certificate they could potentially use this against me, for example, via a man-in-the-middle attack, but to do that they'd need to infiltrate my system to get the certificate, at which point there would be no need for the man-in-the-middle attack.
Having said that, just to be extra safe, I've installed the certificate in a separate Firefox profile specifically for use with Fiddler, so that I don't have the certificate in my system when doing general web surfing.
From the Fiddler FAQs
What’s the Risk?
Many security folks are worried that, if a user configures Windows to trust Fiddler’s root certificate, that user could have their traffic intercepted and decrypted by any other Fiddler user. They assume that Fiddler is sharing the same root certificate across all installations.
Fear not! Every Fiddler root certificate is uniquely generated, per user, per machine. No two Fiddler installations have the same root certificate. The only way for a Fiddler user to be “spoofed” by a bad guy is if that bad guy already is running code inside the user’s account (which means you’d already be pwned anyway).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With