0

When on looking at the HttpWebRequest and HttpWebResponse methods on C#, I just learnt about the HTTP POST and HTTP GET and the HTTPS

HTTPS means whatever data we send will be encrypted so that it is secure

Even when on submitting to some POST data to a HTTPS site while making a HttpWebRequest, Fiddler seems no problems to read the username and password. How?

POST https://someurl  HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: some-host
Content-Length: 84
Expect: 100-continue
Connection: Keep-Alive

j_username=admin&j_password=pass*&Submit=Login

The URL above is HTTPS probably means that all datas are encrypted.

How come then Fiddler know about the username and password ?

EricLaw
  • 56,563
  • 7
  • 151
  • 196
now he who must not be named.
  • 9,166
  • 26
  • 81
  • 144
  • 1
    Because you are the client and your fiddler is on same endpoint as you are. `Transmission` to and from the server will be encrypted – Hanky Panky May 06 '14 at 11:02
  • 1
    Isn't Fiddler a MITM proxy? .. you're talking to Fiddler.. Fiddler talks to the other side.. therefore, Fiddler knows about the data in the request.. it gave you the certificate to encrypt it with. – Simon Whitehead May 06 '14 at 11:05
  • @SimonWhitehead: Thanks. So, in the `case of using a browser`, the `browser` gives the `certificate` to encrypt the `form details` that I send? – now he who must not be named. May 06 '14 at 11:11
  • 1
    No.. the browser talks directly to the other end. That is why Fiddler is considered a "Man In The Middle" (MITM) proxy. – Simon Whitehead May 06 '14 at 11:13

1 Answers1

1

Fiddler is your proxy in certain sense, he sits in-between you and the outside world.

Matas Vaitkevicius
  • 58,075
  • 31
  • 238
  • 265