0

I have nginx installed on my server. I have enabled SSL in nginx. I have created certificate with openssl tool (self-signed). I have attached it to nginx so now when I go to mydomain.com/ver.php, chrome warns me about certificate not be trusted which is OK.

Now when I call this /ver.php in C# using WebClient and HTTPS, everything works however fiddler is able to decrypt https traffic which is not acceptable, I also saw request from plus.google.com, which was also via HTTPS and it was fully decrypted. So why this is happening? How can third party application read what I have just sent to my application written in C# via HTTPS?

clzola
  • 1,925
  • 3
  • 30
  • 49
  • I am sorry, but I still don't understand how to prevent fiddler for reading my messages sent from C# application using WebClient. – clzola Jul 06 '15 at 12:24
  • When you tell Fiddler (via its menu tools => Fiddler options => HTTPS) to decrypt HTTPS, it displays warnings about how that compromises the security of your computer. – AdrianHHH Jul 06 '15 at 12:45
  • But my goal here is to not allow any user to read what I send to server and receive from it. If someone can install Fiddler and analyse https requests my application is generating, than what is point of buying certificate and put it on server and trying to secure that connection with SSL? – clzola Jul 06 '15 at 13:21

2 Answers2

2

Fiddler has the ability to do a man in the middle attack (To check HTTPS packets). You will find that you have trusted the fiddler certificate. You can find it in the Trusted Root Certification called DO_NOT_TRUST_FiddlerRoot. If you remove this certificate you will receive an unsecured connection error.

Fiddler will create a certificate for every website you visit, signed by its root certificate.

Siber195
  • 41
  • 2
  • 3
1

You can't stop end user (Actual user who is consuming your application) from reading the data sent over HTTPs requests. But you can protect HTTPs data from Man-in-the-Middle.

Keeping fiddler aside, there are lot of Browser addons like Firebug, HTTPFox, Tamper Data etc., which will show you all HTTP and HTTPs traffic.

For all HTTPS commuication, Browser will accept certificates from only from trusted CA (like "GoDaddy", "DigiCert"). Website like Google, Facebook will use cerificates from these trusted CA.

Whenever you enable HTTPs traffic decryption in fiddler, below things will happen.

  • Fiddler (Man-in-the-Middle) will automatically install its root certificate "DO_NOT_TRUST_FiddlerRoot" to Browser's CA list.
  • Fiddler will use your WebSite's certificate to decrypt HTTP traffic.
  • Again fiddler will encrypt same HTTP traffic using fiddler signed certificate, i.e, for all your WebSite calls will have fiddler signed certificate.

As fiddler signed certificates are trusted by user browser (due to step#a), you will not see any certificate errors. Just remove root certificate "DO_NOT_TRUST_FiddlerRoot" from Browser's CA list. Your browser will start alerting you.

I hope this may help you!

Venkatesh Achanta
  • 624
  • 1
  • 14
  • 31