17

I'm looking to inspect HTTP traffic sent and received by a WFC client using Fiddler. To do this I've added the Fiddler Root Certificate to the Windows certificate store.

My question: is there are any risk of leaving this certificate in the Windows store ready for when I may need to test again? Could an attacker take advantage of the fact that it's there? Should I remove it once I've finished testing?

Dan Stevens
  • 6,392
  • 10
  • 49
  • 68
  • 3
    wouldn't worry about it too much if it's a cert that fiddler generated locally, unless you expect someone to bust into your system, steal the private key for the cert, and then start signing other things with that. you could, however, go into the cert tool and disallow usage of the cert for anything other than http usage. – Marc B Feb 12 '16 at 15:05
  • @MarcB Hello can you point me in the right direction of finding the cert tool and disallowing the usage of it for non-http? Thanks. – Shayan Feb 14 '22 at 05:54

4 Answers4

22

As the certificate is uniquely generated by Fiddler for my system, even if an adversary knew I had such a certificate installed, there isn't a way for them to take advantage of this. If they knew the unique private key of the certificate they could potentially use this against me, for example, via a man-in-the-middle attack, but to do that they'd need to infiltrate my system to get the certificate, at which point there would be no need for the man-in-the-middle attack.

Having said that, just to be extra safe, I've installed the certificate in a separate Firefox profile specifically for use with Fiddler, so that I don't have the certificate in my system when doing general web surfing.

Dan Stevens
  • 6,392
  • 10
  • 49
  • 68
10

From the Fiddler FAQs

What’s the Risk?

Many security folks are worried that, if a user configures Windows to trust Fiddler’s root certificate, that user could have their traffic intercepted and decrypted by any other Fiddler user. They assume that Fiddler is sharing the same root certificate across all installations.

Fear not! Every Fiddler root certificate is uniquely generated, per user, per machine. No two Fiddler installations have the same root certificate. The only way for a Fiddler user to be “spoofed” by a bad guy is if that bad guy already is running code inside the user’s account (which means you’d already be pwned anyway).

The Gilbert Arenas Dagger
  • 12,071
  • 13
  • 66
  • 80
-1

Corporate usage instructions I have seen at more than one client include the Cert removal step after Fiddler has been used. So the answer would definitely be a "Yes, do remove the certificate after use."

buzzAZ
  • 9
  • 1
-5

No it's not safe, and yes you should remove it.

The entire point of it is to break the security of SSL for debugging convenience.

It even has "DO_NOT_TRUST" in its name, for a good reason.

Jon Hanna
  • 110,372
  • 10
  • 146
  • 251
  • 5
    This is incorrect, please don't assume that this guy's high reputation means he is correct on this answer. Each key is uniquely generated and there is no security issue. See Fiddler's FAQ for yourself: https://www.telerik.com/blogs/faq---certificates-in-fiddler – charleswj81 Oct 24 '18 at 02:55
  • 3
    I think the "DO_NOT_TRUST" warning is in case the certificate ends up being served in a context outside the very specific context it meant for. For example, if someone intentionally or accidently set it as their web server's SSL certificate. If such a thing is possible, it would be bad and the user should rightlfully be warned not to trust it. – Dan Stevens Aug 21 '19 at 08:57
  • 3
    OP said "I'm looking to inspect HTTP traffic" and telerik has made it clear that for inspection purposes it is completely safe, my understanding is that it is not safe for the production that's why it has DO_NOT_TRUST in its name. – Bizhan Oct 12 '19 at 04:02