-1

Is there a way to completely encrypt the outgoing HTTPS requests from the software to the server ? i mean there are apps like Charles and Fiddler that can capture the HTTPS traffic and see everything like the Headers,URL,... i don not want anyone to see or capture the traffic going from my app. i'm using Delphi 10.1 VCL App

Cœur
  • 37,241
  • 25
  • 195
  • 267
Mark Cooper
  • 39
  • 8
  • 2
    Related https://stackoverflow.com/q/10808930/8041231. Still this sound more like a question for https://security.stackexchange.com. – Victoria Jun 06 '17 at 02:11
  • 2
    You certainly can attempt to encrypt the content to prevent eavesdropping by intercepting proxies, but the problem is where do you put the encryption key? It needs to be available on the client, and it generally is not too difficult for a hacker to find that key. Your efforts will raise the bar for hacking it mildly, but not by much. SSL pinning is another approach you can use to slow down an attacker from eavesdropping on your TLS communications. – TheGreatContini Jun 06 '17 at 02:13

1 Answers1

3

If you're using HTTPS and you are properly validating certificates as a browser would, there is no way for an intermediate to view URLs or headers, or content. All they can see is which server you're communicating with.

The way Charles gets around this is that it presents its own non-genuine certificate, which won't validate, and proxies the communication. If your app is validating certificates it would refuse to communicate with the Charles proxy. If you viewed the Charles proxy with a web browser it would present an SSL certificate error.

If you trust that particular Charles proxy and want to add an exception in your client or browser, you can. But it only allows that particular one - it doesn't mean anyone else can intercept your HTTPS, or read URLs, etc, using their own Charles proxy or similar.

thomasrutter
  • 114,488
  • 30
  • 148
  • 167