I have recently been looking into HTTPS, and just how secure it is.

I went to an https site which had a valid certificate and entered my username and password. Using Fiddler, I decrypted the requests which appeared after clicking the submit button, and there was my username and password in plain text in a string containing key-value pairs (this wasn't the querystring, it was the post values).

Can anyone enlighten me as to why HTTPS is said to be secure when it is this easy for me to get the username and password using an external application? I mean it was pretty much instant decryption, and surely a hacker could use an application to find out what requests you're making and decrypt them, can't they?

HTTPS is a fairly secure way of communicating point-to-point without anyone in the middle being able to listen in.

The reason Fiddler can decrypt the traffic is that it has control over which certificates your browser trusts. A certificate is basically a "guarantee" that the web site you're talking to is who it claims to be, and since Fiddler can put its own certificate into the browser, it can convince the browser that it is any site.

Normally the browser only has certificates from certificate authorities (like Verisign, Thawte, Geotrust) who's job it is to validate that every site is actually who they say they are. As long as you trust the certificate authorities (they have made mistakes) and noone has added a fake certificate to your browser, you can pretty much trust that no one is listening in.

If you're looking for something that is "mathematically secure", HTTPS isn't it. For communication to be easy to set up, you still have to trust someone else than the person other end of the connection.

I completely agree with Joachim Isaksonn. Just want to add couple of things:

1) SSL security depends on length of RSA key which is used. Longer keys are more secure. Generally speaking 1024 bit is still good enough for most cases, 2048 bit is unbreakable by known factorization methods with all resources in the world

http://en.wikipedia.org/wiki/RSA_Factoring_Challenge

2) SSL security also depends on a user. If you go to some website and it says "Certificate doesnt' match" and you click ignore, you are in trouble (for the same reason why Fiddler can decrypt the traffic)

It seems like you are skeptical about HTTPS because of what you achieved using Fiddler. I will try to answer that part of your question concisely.

The reason why you were able to do that is because you mounted a Man in the Middle attack on yourself where Fiddler is the MiTM. You must have noticed that the browser would have issued a warning about the certificate being unsafe. That certificate is infact, Fiddler's own certificate. So your browser connects to fiddler and fiddler connects with the intended server and Fiddler relays the traffic(acts like a proxy). This is precisely why you were able to see your traffic. Your browser encrypted the data using Fiddler's Public key and fiddler used its private key to decrypt the data to show you. This has nothing to do with 'HTTPS' not being secure. HTTPS can be considered secure as long as the user is careful enough to go by the warnings that the browsers issue. As always, the weakest link here are the users.