Best IT Recipes

What is an SSL point if violinist 2 can decrypt all calls over HTTPS?

I again asked the question of how to hide my HTTP request requests and make them more secure in my application. I didnโ€™t want people to use violinist 2 to see the call and set up the answering machine. Everyone told me to go SSL and the calls will be hidden and the information will be saved.

I bought and installed an SSL certificate and got all the settings. I downloaded violinist 2 and ran a test application that connected to the https web service and also connected to the https php script.

Fiddler 2 was able to not only detect both requests, but also decrypt them! I was able to see all the information coming back and the fourth that brings me to my question.

What is the point of having SSL if it makes zero security difference. With or without SSL, I can see all the information coming back and forth, and STILL set up an answering machine.

Is there something in .NET. Am I missing to better hide my calls going over SSL?

EDIT

I am adding a new part to this question due to some of the answers I received. What to do if the application connects to the web service to log in. The application sends the username and password to the web service. The web service then sends the data back to the application, saying good login details or bad. Even if you go over SSL, a person using violinist 2 could just set up an answering machine, and then the application "hacked". I understand how it would be useful to see the data in debugging, but my question is what exactly needs to be done to make sure that SSL is connected to the one that it requested. Basically speaking, there cannot be an average person.

+45
c # ssl encryption fiddler
May 30 '12 at 1:32
source share
3 answers

This is described here: http://www.fiddlerbook.com/fiddler/help/httpsdecryption.asp

Fiddler2 relies on a man-in-the-middle approach to intercepting HTTPS. In its web browser, Fiddler2 claims to be a secure web server, and Fiddler2 simulates a web browser to the web server. To pretend to be a web server, Fiddler2 dynamically generates an HTTPS certificate.

In fact, you manually trust any Fiddler certificate, the same will be true if you manually accept the certificate from a random person who does not match the domain name .

EDIT: There are ways to prevent a Fiddler / man-in-the-middle attack, that is, in a user application using SSL, special certificates may be required to use. In the case of browsers, they have a user interface to notify the user of certificate inconsistencies, but ultimately to allow such communication.

As a public template for explicit certificates, you can use Azure services (for example, with PowerShell tools for Azure) and sniff traffic using Fiddler. It fails due to an explicit certificate requirement.

+48
May 30 '12 at 1:36
source

You can configure your web service to require client-side certification for SSL authentication, as well as server-side certification. Therefore, Fiddler will not be able to connect to your service. Only your application with the required certificate will be able to connect.

Of course, then you have a problem with how to protect the certificate in the application, but now you have this problem with your username and password. Someone who really wants to hack your application can go with Reflector or even perform a memory search for the private key associated with the certificate on the client side.

There is no real way to do this 100% bullet proof. This is the same problem as in the movie industry with DVD content. If you have software that can decrypt the DVD and play the content, then someone can dump the memory while the software is in action and find the decryption key.

+7
May 30 '12 at 2:08 a.m.
source

The SSL / TLS point is generally such that a random wiretap eavesdropper cannot see your payloads. Fiddler / Burp means you interacted with the system. Yes, this is a very simple interaction, but it requires a (one) system.

If you want to increase security by making these MITM programs useless at such a basic level, you will need to authenticate client certificates (two-way SSL) and bind both server and client certificates (for example, it is required that only a specific certificate is valid for comm). You would also encrypt the payload transferred to the wire with the public keys of each side and ensure that private keys will only be located in the systems to which they belong. Thus, even if one side (Bob) is compromised, the attacker can only see what is sent to Bob, and not what Bob sent to Alice. Then you must encrypt the payload and sign the data with a verifiable certificate to ensure that the data has not been tampered with (there is much debate about whether to encrypt or sign first, for example, btw). Alternatively, you can use the signature using several passes, such as sha2, to ensure that the signature is โ€œsentโ€ (although this is a largely obscure step).

This will provide you as far as possible, when you will not control (one) communication systems.

As already mentioned, if an attacker controls the system, they control RAM and can change all method calls in memory.

+6
Jan 02 '15 at 9:04 on
source


More articles:


All Articles