4

I am testing a C# web API hosted on a remote server, and I am monitoring HTTPS traffic using Fiddler.

What confuses me is that via Fiddler I can see all of the POST payload, headers and host URL addresses for both the request and the response. Shouldn't the SSL certificate actually encrypt this data, or at least some of it? I tried to find an example of encrypted HTTPS requests but I am not able to find it.

Why am I able to see an entire HTTPS request in Fiddler?

Anders
  • 65,052
  • 24
  • 180
  • 218
mko
  • 179
  • 1
  • 6
  • 3
    Have you trusted the Fiddler SSL certificate on the machine you are making requests from? If so, it can effectively man-in-the-middle your HTTPS connection. Your browser trusts the Fiddler CA, fiddler trusts your end point certificate. – iainpb Mar 02 '18 at 13:14

1 Answers1

5

Take a look at these instructions for how to make Fiddler decrypt TLS traffic. It tells you to install Fiddlers root certificate into the OS trust store.

This implies that they are doing classic TLS interception - there is one TLS connection between the browser and Fiddler, and another between Fiddler and the server. The first one uses a certificate generated on the fly by Fiddler and signed with their root certificate. The second one uses whatever certificate the server provided. As seen below:

   Browser <--- TLS Connection #1 ---> Fiddler <--- TLS Connection #2 ---> example.com
                      |                                      |
               Certificate signed                  Genuine certificate 
                   by Fiddler                         for exmple.com

This works because the OS has been told to trust Fiddlers root certificate, so they can simply spin up a certificate for any domain they want on the fly and the browser will accept it.

Anders
  • 65,052
  • 24
  • 180
  • 218
  • So would that work with anyone trying to intercept request with fiddler? Is that a security issue? – mko Mar 02 '18 at 13:22
  • 2
    No, each cert it generates us unique. Your Fiddler CA will not work on someone else's installed browser cert. To exploit this, you'd have to install the cert for your Fiddler instance on their machine – iainpb Mar 02 '18 at 13:43
  • @iainpb maybe my question wasnt clear. Could I intercept some other secured request using my browser and my fiddler in similar way? So basicaly I would act as man in the middle of any transaction I can get my hands on? – mko Mar 02 '18 at 13:55
  • 1
    @mko the key part is, to intercept the traffic, you need a root certificate installed on the machine for which you also hold the private key. If you can trick another person to install a root certificate (which Fiddler is doing but only to yourself) and you are in an active attacker network position, yes you could intercept their traffic. But only if you get the to install your own root certificate. – vcsjones Mar 02 '18 at 14:07
  • @vcsjones hm i am still not getting it, sorry. let me check the facts first. when you say machine, are you referring to a middle-man machine or server machine that is serving/processing request? if it is a middle man machine, and the fiddler is doing what its doing, as an "attacker" using fiddler I could intercept and read encrypted data. Correct? So how exactly is SSL secure? – mko Mar 02 '18 at 14:14
  • so, you can intercept any ssl communication between the machine you trusted the fiddler cert on and any server. But yes, you could leave fiddler running on your machine and intercept everything. This is and isn't a security issue, this is how HTTPS works, on trust of certificates, if you trust other certificates you open yourself to MITM. – iainpb Mar 02 '18 at 14:25