Why make use of HTTPS when Fiddler can decrypt it

2019-03-08 19:42发布

This question already has an answer here:

I have just discovered that Fiddler can decrypt HTTPS traffic.

For instance, I deployed a website on localhost using HTTPS. When inspecting the data packets in Fiddler, I was able to view all the information since it has an option to decrypt it.

My question is, why make use of HTTPS when Fiddler can easily decrypt it?

2条回答
爱情/是我丢掉的垃圾
2楼-- · 2019-03-08 19:50

Fiddler performs a MITM technique.

To make it work, you need to trust its Certificate:

http://www.fiddler2.com/fiddler/help/httpsdecryption.asp

If you don't, it won't decrypt anything...

how can Fiddler2 debug HTTPS traffic?

A: Fiddler2 relies on a "man-in-the-middle" approach to HTTPS interception. To your web browser, Fiddler2 claims to be the secure web server, and to the web server, Fiddler2 mimics the web browser. In order to pretend to be the web server, Fiddler2 dynamically generates a HTTPS certificate.

Fiddler's certificate is not trusted by your web browser (since Fiddler is not a Trusted Root Certification authority), and hence while Fiddler2 is intercepting your traffic, you'll see a HTTPS error message in your browser [...]

查看更多
男人必须洒脱
3楼-- · 2019-03-08 20:10

In order to decrypt HTTPS traffic you must first install the Fiddler's root certificate in to your "trusted/root certificates" list. Fiddler's root certificate is NOT a Root certificate which by default comes with your Operating System. The OS will usually warn you when you're trying to install this.

In doing so, you explicitly begin to trust any certificate signed by Fiddler's root certificate. When you now make a https request, Fiddler will perform a Man in the middle attack with you.

Suppose you make a request in the form https://google.com. Fiddler will now act as the actual Google server and will create a dummy certificate for Google.com and sign it using Fiddler's Root certificate. You will receive this dummy certificate which has been signed by Fiddler. This certificate will pass your device's validation since Fiddler's Root certificate is now in your trusted certificates. Now, your device will start communicating with Fiddler through a secure HTTPS connection. Fiddler will relay your messages to Google.com and back to you. Of course Fiddler will able to decrypt them.

It is to note that the traffic from Fiddler to Google will occur through a second Secure https channel.

Therefore, not to worry about the security provided by https.

查看更多
登录 后发表回答