0

When I log into any website, I can record all calls while login using jmeter test script recorder or Burp suite but when I try to record calls from face book, it gives me following message on browser.

The certificate is not trusted because it is self-signed. The certificate is only valid for JMeter Proxy (DO NOT TRUST)

Can I implement this feature for my site so no one is able to know what calls are going on server while login or registration or any other activity?

My site is https but still https requests can be recorded using automated tools.

Please comment.

Thank You

Derek
  • 79
  • 1
  • 6
  • 1
    If any part of your site that you want to secure involves code running on the client's browser (probably all of it), then you can't because the thing that can record traffic on the client's computer can probably do whatever to the browser as well. – billc.cn Aug 18 '16 at 15:14

1 Answers1

1

You can intercept Facebook and any other website requests using burp or similar other proxy tools.

The error is probably that you didn't add the CA certificate from Burp/Jmeter to your browser trusted list of CA's.

Check this link on how to add Burp CA certificate in Firefox.

Also, you can add client certificates for extra layer of security. But even this can be intercepted in other ways.

Community
  • 1
Sravan
  • 1,158
  • 5
  • 14