1

I built a GData app and I send my Google credentials to use my account. Fiddler can easily intercepts my communication and reveals username & password.

Is there any way to prevent prying eyes? Someone can easily reveals my password if not...

POST https://www.google.com/accounts/ClientLogin HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: www.google.com
Content-Length: 109
Expect: 100-continue
Connection: Keep-Alive

Email=xxxxxxxxxx%40gmail.com&Passwd=veryhigh-secure-ultra-strenght-passord-is-this-HHDGdgddhdyhghdeeehdeg^3h37373dE^^^+--XXXxxx123123h37ddg3g36dhjfhfg6373udbgd634t&source=database&service=writely&accountType=HOSTED_OR_GOOGLE

ADDITION: We know Google Docs's public SSL certificate. Can we check is it in use on client's pc or is there any fake one? Does it help?

enter image description here

Update & Conclusion:

Fiddler acts as man-in-the-middle and injects a fake root certificate in Windows' trusted root cert. store. Then generates fake certification for target site. Browser uses that fake certification -public key- & encrypts & sends data, to Fiddler's itself. Fiddler decrypts the data with fake root certification -private key-. And then use remote site's original certification & encrypts data & sends to target site. Repeats the same things in reverse to response browser.

I've simply asked for how to detect these fake certifications on another question. If I build a simple application with .NET, the application will rely & use Windows' "default/stored" certification for target site. If there is not, Fiddler will generate one on the fly.

So...

  1. I do not rely the certificate on Windows' and get the authentic certificate directly from the target site/ or I have to include a valid certificate of target site in my app.

  2. I have to modify the source code of Google Data API to use my included -authentic one- SSL certificate -a simple .crt file- on my https communications. So the data will be encrypted in my app and decrypted at target site only.

  3. Securing memory -to make things harder- is the next step.

I've wrote these things as future reference for who will research same topics & to be approved by you.

Thanks.

Someone already mentioned about fake certificates:

  1. Detecting Man in the Middle Attacks with DNS By Jason Coombs, December 18, 2003
Nime Cloud
  • 6,162
  • 14
  • 43
  • 75
  • 4
    That's a really poor password. – Rawling Mar 05 '12 at 08:47
  • Can I force my app/Google API to ignore/not allow any un-trusted certificate? – Nime Cloud Mar 05 '12 at 08:50
  • 1
    Ok guys, I fixed the password. Now what? – Nime Cloud Mar 05 '12 at 12:24
  • As noted below, there's no threat from a network-based attacker, so building in protection like this isn't generally useful. You should also keep in mind that there's nothing practical you can do to prevent the user from changing your running code in memory to accept whatever interception certificate they are using. – EricLaw Apr 18 '12 at 13:41
  • I made the things as hard as possible, used obfuscated multithreaded code with timers and a few randomized code flow. I think it's quite boring job to crack my app for nothing.I also removed user/pass pair now I use public shared spreadsheet with encrypted data. It's enough to me. Neither I'm Microsoft nor I built Windows 8. – Nime Cloud Apr 19 '12 at 20:47

3 Answers3

6

The reason Fiddler can reveal your password is because it is acting as a HTTPS proxy. It acts as a man-in-the-middle; decrypting your secure traffic on the client side and re-encrypting it before sending it on to the target server. This all happens before your secure traffic leaves your system. Once it leaves your computer the data is encrypted.

As long as you are confident that your computer is secure from malware and other software like that, then you should consider the HTTPS traffic secure and encrypted and safe from snooping.

Did you install the fiddler root CA? if you did, then your system trusts the certificate issued by the fiddler software in the same way as it would trust certificates issued by Verisign or other trusted authorities.

You have to go to effort to accept an untrusted certificate in most programming environments, so it should have failed the check at that point, before sending the traffic to the server.

EDIT: If you're attempting to secure access to a GData store, then you should read the Authentication and Authorization documentation WRT to this. Yes, it's a pain in the ass, but this is a way to secure the data without revealing your user account information at the client-app level.

Anya Shenanigans
  • 91,618
  • 3
  • 107
  • 122
  • I was planning to distribute my app. – Nime Cloud Mar 05 '12 at 08:57
  • 2
    Even if you secure your HTTPS communication, the malicious user may snoop the project's memory and fish out the password from there. You should think of another way to secure communication, not storing your passwords – Zruty Mar 05 '12 at 09:03
  • I agree with @Zruty, if you're storing the password in a distributed application, then it can and will get extracted (all that matters is the effort required to perform the extraction). What is being stored on the google-side that requires your credentials to access it? – Anya Shenanigans Mar 05 '12 at 09:14
  • I use Google Docs -spreadsheet- as INI file on the clouds: User's license info. – Nime Cloud Mar 05 '12 at 09:20
  • I've updated my answer with a reference to the recommended way to restrict/permit access to the data store involving openid/oauth. – Anya Shenanigans Mar 05 '12 at 09:22
2

you can hide the traffic going out from your app with this simple code:

request.Proxy = null;

however, this works with fiddler only. I don't know if it works with other traffic-monitoring softwares....

Desolator
  • 22,411
  • 20
  • 73
  • 96
  • Google should implement a mechanism: I set a passphrase -or use my password- at my Google account. I send my mail > Google sends an encrypted string > I send decrypted string > Google accepts my login/request. This should be on every request to prevent stealing my session. – Nime Cloud Mar 05 '12 at 09:04
  • @Robin that won't work if your network requires you use a proxy to access the internet. – Mesh Mar 05 '12 at 09:59
  • this works fine with direct connection... if you want to use proxy you must implement it inside your program... – Desolator Mar 05 '12 at 11:33
  • 1
    @NimeCloud: And how are you going to hide the decryption keep from prying eyes? Any time you place a key on a user's machine or in memory in one of its processes, you've surrendered control over it to the user. – Ross Patterson Mar 05 '12 at 19:49
  • I don't use user/password pair in my app. anymore. I use public shared Google spreadsheet/form and I add row with CRC verification key to detect/ignore unauthorized data writes. – Nime Cloud Apr 19 '12 at 20:37
0

Now I can detect a fake certificate is in use or not. It's not about only securing my password, my all SSL communication is visible including other sensitive data.

SSL match at both ends

SSL match at both ends

MITM Suspect!

MITM Suspect!

Of course, fake SSL might contain matching strings, so I should compare the both certificate files to ensure they are identical. Or better simply encrypt a test string with both certificates and compare the results...

Nime Cloud
  • 6,162
  • 14
  • 43
  • 75