2

im using silverlight 5 and WCF .. and the site is secured with HTTPS . however if i use fiddler , i can see this in the headers: GET /ClientBin/XXXX-Web-MyService.svc/binary/GetUsers

if i put that directly after my domain : https://www.mydom.com/ClientBin/XXXX-Web-MyService.svc/binary/GetUsers

it will download all data from tabel users. how can i hide and protect this information from being visible!! isn't using SSL enought ? why is this visible anyways if im using https!?

thank you.

EDIT: my initial question was kind of an 'uneducated' one and for that i apologies,

i found more info on the subject and did more research. in this Q on SO there is an explanation to why fiddler is able to decrypt and view requests and responses sent over https.
What is point of SSL if fiddler 2 can decrypt all calls over HTTPS?

and to make things even more difficult, the common solution to this problem is using "Certificate Pinning" which requires the use of System.Net.ServicePointManager which is not included in the silverlight implementation of System.Net namespace.

so here i am stuck with an SSL cert. that i paid for that can be "cracked" by anyone with basic knowledge of web debugging.

Community
  • 1
  • 1
Osama
  • 325
  • 3
  • 14
  • 3
    https/SSL is only for protecting information in-flight. The user must obviously be able to read the data on the other end. But it stops the data being intercepted or tampered with en route. What exactly are your requirements for your data transport? It sounds a little like you have an untrusted platform problem. – Aron Feb 25 '13 at 08:58
  • thank you for your comment @Aron , i updated my question with more info i found on the subject. – Osama Mar 09 '13 at 17:05
  • Again. What are you trying to protect against? – Aron Mar 10 '13 at 04:24
  • fiddler and other web debugging proxies. – Osama Mar 10 '13 at 10:21
  • PS you do realise that the only reason that Fiddler works is because you, as the computer's admin, tell the computer that Fiddler is doing something I want. And that Fiddler WILL NOT work against someone else's computer? – Aron Mar 10 '13 at 14:11

1 Answers1

4

From a purely Theoretical Computer Science point of view, what you are asking for is near impossible to actually impossible. You would need to implement a trusted platform to protect against the attack.

Now for the Science bit, Concentrate

Okay, so lets start with some basic theory. SSL and thus by extension HTTPS solves a very very specific problem. How do you communicate information over an unsecure NETWORK confidential information with a party you have never communicated with before. In this case, the emphasis is on NETWORK. It does so by solving two problems,

  1. Authentication of the server (the server is who it says it is)
  2. Asymmetric Encryption of key exchange

There is some overlap, to ensure that this is one step. I will focus on the 1st, as this is where fiddler "attacks" your system.

The SSL authentication works on a concept of a web of trust. Your computer has a list of TRUSTED verifiers. These are companies like Verisign, Thawte, Geotrust etc. These companies verify certificates by signing them (complex asymmetric encryption term, but its very like a handwritten signature, hard to forge, easy to verify).

Fiddler works by inserting a new trusted CA (verifier) into your computer. From then on, when you visit an HTTPS site, it will send requests on your behalf, reads it then forwards it back on to you with its OWN SIGNATURE. Since your computer completely trusts this signature, it thinks nothing is wrong.

Now, you want to implement certificate pinning. This IMHO is "bloody awful". It works by telling your software to expect a specific SSL cert. Two reasons why this is bad.

  1. If I can work Fiddler, I can work dotPeek and recompile WITHOUT certificate pinning.
  2. When your certificate gets revoked, your clients won't be able to connect.

Why would your certificate be revoked? If your CA loses their private keys, then they will be obliged to make sure its revoked and a replacement sent to you. Also each and every certificate has a sell by date as well, and must be replaced before they start to smell.

So finally what can you do?

SSL is NOT designed for protecting against what you are doing on your machine. The simpliest way to do what you are asking is to simply wrap your WCF calls in an extra layer of symmetric (or even asymmetric) encryption. But once again. The keys must live somewhere, so your client WILL be able to get the keys from a simple disassemble of your binaries and be able to construct a proxy of their own.

In conclusion

This is pretty much exactly the same as the DRM problem. You want to give your customer access to something on their machine but not show them how it works. If you do manage to solve this problem, do post a follow up, since Sony, Nintendo and Microsoft (to name a few) would be very interested in your findings.

Aron
  • 15,464
  • 3
  • 31
  • 64