Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is point of SSL if fiddler 2 can decrypt all calls over HTTPS?

I asked a question here a while back on how to hide my http request calls and make them more secure in my application. I did not want people to use fiddler 2 to see the call and set up an auto responder. Everyone told me to go SSL and calls will be hidden and information kept safe.

I bought and installed an SSL Certificate and got everything set up. I booted up fiddler 2 and ran a test application that connect to an https web service as well as connected to an https php script.

Fiddler 2 was able to not only detect both requests, but decrypt them as well! I was able to see all information going back and fourth, which brings me to my question.

What is the point of having SSL if it made zero difference to security. With or without SSL I can see all information going back and fourth and STILL set up an auto responder.

Is there something in .NET I am missing to better hide my calls going over SSL?

EDIT

I am adding a new part to this question due to some of the responses I have received. What if an app connects to a web service to login. The app sends the web service a username and a password. The web service then sends data back to the app saying good login data or bad. Even if going over SSL the person using fiddler 2 could just set up an auto responder and the application is then "cracked". I understand how it could be useful to see the data in debugging, but my question is what exactly should one do to make sure the SSL is connecting to the one it was requesting. Basically saying there cannot be a middle man.

like image 399
Landin Martens Avatar asked May 30 '12 01:05

Landin Martens


People also ask

Why do we need SSL decryption?

Benefits of SSL Decryption Implementing SSL decryption and inspection helps today's organizations keep their end users, customers, and data safe, with the ability to: Prevent data breaches by finding hidden malware and stopping hackers from sneaking past defenses.

What are the two purposes of SSL?

In the context of SSL/TLS, digital certificates are cryptographic files that you install on a server. The certificate serves two primary functions: The certificate authenticates the identity of the server; and. The certificate binds a key pair to that server.

How can Fiddler decrypt HTTPS?

Fiddler allows you to decrypt HTTPS traffic by installing its root certificate and enabling HTTPS decryption. First, start Fiddler on the device that will be intercepting traffic. Next, go to Tools > Options > HTTPS, and check the checkbox that says “Decrypt HTTPS Traffic”.

Can SSL traffic be decrypted?

No. You can't decrypt if you have all the traffic. Even if you have the private key of the certificate, the private key is only used to authenticate. The keys that the traffic is encrypted with are generated during the handshake by the communicating programs (the server and your browser).


2 Answers

This is covered here: http://www.fiddlerbook.com/fiddler/help/httpsdecryption.asp

Fiddler2 relies on a "man-in-the-middle" approach to HTTPS interception. To your web browser, Fiddler2 claims to be the secure web server, and to the web server, Fiddler2 mimics the web browser. In order to pretend to be the web server, Fiddler2 dynamically generates a HTTPS certificate.

Essentially, you manually trust whatever certificate Fiddler provides, the same will be true if you manually accept certificate from random person that does not match domain name.

EDIT: There are ways to prevent Fiddler/man-in-the-middle attack - i.e. in custom application, using SSL, one can require particular certificates to be used for communication. In case of browsers, they have UI to notify user of certificate mismatch, but eventually allow such communication.

As a publicly available sample for explicit certificates, you can try to use Azure services (i.e. with PowerShell tools for Azure) and sniff traffic with Fiddler. It fails due to explicit cert requirement.

like image 118
Alexei Levenkov Avatar answered Oct 19 '22 05:10

Alexei Levenkov


You could set up your web-service to require a Client-side certification for SSL authentication, as well as the server side. This way Fiddler wouldn't be able to connect to your service. Only your application, which has the required certificate would be able to connect.

Of course, then you have the problem of how to protect the certificate within the app, but you've got that problem now with your username & password, anyway. Someone who really wants to crack your app could have a go with Reflector, or even do a memory search for the private key associated with the client-side cert.

There's no real way to make this 100% bullet proof. It's the same problem the movie industry has with securing DVD content. If you've got software capable of decrypting the DVD and playing back the content, then someone can do a memory dump while that software is in action and find the decryption key.

like image 40
Andrew Cooper Avatar answered Oct 19 '22 06:10

Andrew Cooper