0

I am using SSL on the Azure platform (provided out of the box) with basic authentication. The call works, but when I view the posts on fiddler, I see the authentication string and any other manual headers I add in what appears clear text. Should this be the case? From what I have read, SSL with basic authentication is an accepted standard and everything should be encrypted.

Using an https url, I see two fiddler entries...the one that tunnels into HTTPS and then a second one. On the second one (https), I can see the three header items the code adds. I would have thought it would be encrypted. Or can I see it on fiddler because the request originated from my machine?

My code looks like this:

var webRequest = WebRequest.Create(azureSiteContract);
webRequest.Headers["Authorization"] = Convert.ToBase64String(Encoding.Default.GetBytes(user + ":" + pass));
webRequest.Headers["Test"] = "blah1";
webRequest.Headers["Test2"] = "blah2";
webRequest.Credentials = new NetworkCredential(user, pass);
using (var webResponse = webRequest.GetResponse())
{
    using (var responseStream = webResponse.GetResponseStream())
    {
        results = new StreamReader(responseStream).ReadToEnd();
    }   
}
ProgramTheWorld
  • 537
  • 1
  • 4
  • 6

1 Answers1

0

you have probably set fiddler to decrypt using its certificate man in the middle attack.

John Nicholas
  • 4,778
  • 4
  • 31
  • 50
  • The question is why is it decrypting, the answer is because you have probably configured it to do so. I do not see how this is not an answer. Should this be the case, If my stated assumption is true: yes, and yes again to the final question. Your complaint is probably against the question if you do not like this answer. It probably could of been rtfm – John Nicholas Jul 08 '14 at 16:41
  • I understand now, and I agree with your assessment. Please consider adding how to check and change decryption settings in Fiddler. – Patrick M Jul 08 '14 at 17:09
  • Most likely that is the case. I will accept it as so as it is the one thing I hadn't thought of. If I discover differently, I will post back. Thanks for the fast response. – ProgramTheWorld Jul 08 '14 at 20:49
  • Also...been a while since I used this site. I will be more punctual checking any answers I post in the future :) – ProgramTheWorld Jul 08 '14 at 20:50
  • no worries i have an answer I have not marked correct that's 2 days old .. had no time to check it yet ;) – John Nicholas Jul 08 '14 at 21:47
  • Ok...using these instructions (see below), I confirmed John's answer. Thanks! http://docs.telerik.com/fiddler/configure-fiddler/tasks/decrypthttps/ – ProgramTheWorld Jul 09 '14 at 14:33