What is point of SSL if fiddler 2 can decrypt all calls over HTTPS?

by

This is covered here: http://www.fiddlerbook.com/fiddler/help/httpsdecryption.asp

Fiddler2 relies on a “man-in-the-middle” approach to HTTPS interception. To your web browser, Fiddler2 claims to be the secure web server, and to the web server, Fiddler2 mimics the web browser. In order to pretend to be the web server, Fiddler2 dynamically generates a HTTPS certificate.

Essentially, you manually trust whatever certificate Fiddler provides, the same will be true if you manually accept certificate from random person that does not match domain name.

EDIT:
There are ways to prevent Fiddler/man-in-the-middle attack – i.e. in custom application, using SSL, one can require particular certificates to be used for communication. In case of browsers, they have UI to notify user of certificate mismatch, but eventually allow such communication.

As a publicly available sample for explicit certificates, you can try to use Azure services (i.e. with PowerShell tools for Azure) and sniff traffic with Fiddler. It fails due to explicit cert requirement.

More Related Contents:

  1. Encryption and Decryption I want the method that he used to encrypt
  2. Casting a result to float in method returning float changes result
  3. C# version of OpenSSL EVP_BytesToKey method?
  4. C# Ignore certificate errors?
  5. The request was aborted: Could not create SSL/TLS secure channel
  6. Converting image to base64
  7. Encrypting credentials in a WPF application
  8. Start may not be called on a promise-style task. exception is coming
  9. OpenSSL encryption using .NET classes
  10. Why does a bad password cause “Padding is invalid and cannot be removed”?
  11. RSA Encryption, getting bad length
  12. How to open Outlook new mail window c#
  13. Associate a private key with the X509Certificate2 class in .net
  14. C# Encryption to PHP Decryption
  15. Working with C# Anonymous Types
  16. How to Generate Unique Public and Private Key via RSA
  17. Why is there a difference in checking null against a value in VB.NET and C#?
  18. Get property value from C# dynamic object by string (reflection?)
  19. how to enable TLS 1.3 in windows 10
  20. Get current scroll position from rich text box control?
  21. Is there a Task based replacement for System.Threading.Timer?
  22. How to set read permission on the private key file of X.509 certificate from .NET
  23. In .NET 4.0, how do I ‘sandbox’ an in-memory assembly and execute a method?
  24. Why is the binary output not equal when compiling again?
  25. How to check if a byte array is a valid image?
  26. CryptographicException “Key not valid for use in specified state.” while trying to export RSAParameters of a X509 private key
  27. How to implement Triple DES in C# (complete example)
  28. Encrypt Query String including keys
  29. Is it safe to test the X509Certificate.Thumbprint property when you know an invalid certificate is safe?
  30. Using SSL and SslStream for peer to peer authentication?

Leave a Comment