1

I know how Fiddler can decrypt HTTPS traffic by using Man-In-The-Middle approach. I understand the trusting Fiddler's root certificate comes with the risk and one should trust it responsibly by understanding its implications. However, it leaves you with a risk of an employee installing Fiddler and trusting its root certificate. When this is the case, how can IT Security department of an organization ensure security?

(I can enforce some policies in which Fiddler or any proxy interceptor will not be allowed to install. But what if such a thing is not possible, say in an IT company itself?)

Learner
  • 4,661
  • 9
  • 56
  • 102
  • 1
    Just to make sure: You now that the one "Fiddler's root certificate" does not exist? AFAIK Fiddler automatically generates a new key and certificate on each installation. Therefore every user has it's own certificate different from all others. – Robert Apr 13 '16 at 11:14
  • Use Certificate Pinning https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning – Neil McGuigan Apr 13 '16 at 17:50

1 Answers1

0

As stated in the comments, Fiddlers use a different key on each install so you can only mitm yourself (or the peoples who trust you).

But if your fiddlers private key is compromised, then people who trust it can only be saved by removing the certificate.

Pinning can't be useful because HPKP is disabled for user trusted roots.

The conclusion is: you're safe, just keep your private key private!

Tom
  • 4,666
  • 2
  • 29
  • 48