0

I would like to understand a point. When I use fiddler it creates a local proxy to analyze the traffic, so far everything is fine. However when Fiddler is launched and I browse an HTTPS site the certificate on the browser is "replaced" by the one generated by Fiddler, marked as DO NOT TRUST.

With and without Fiddler

I would like to understand the risks associated with this local proxy and this certificate replacement... Imagine that I am browsing the internet with Fiddler continuously running locally, what am I actually risking? Is this a bad practice? Or on the contrary, everything is fine?

Thanks for your help !

Marc Alves
  • 49
  • 4
  • 1
    Why are you using Fiddler in the first place ? It is used for troubleshooting https connections. What you are risking ? Not being notified of invalid/expired certificates while browsing websites. – Kate Jul 12 '21 at 18:27
  • In fact, it's more the architecture of this solution (local proxy + certificate) that interests me here. Not only Fiddler. I therefore understand that in addition to a MitM attack I risk not seeing the updates on the original certificate of the site. – Marc Alves Jul 13 '21 at 07:58

1 Answers1

1

The whole idea, however flawed, of using trusted certificates for securing web sites is that the certificate is signed by generally recognized trusted authorities. This provides a strong probability that the site is the official site and not some kind of spoof or clone.

A self signed certificate, that is one that is not signed by trusted authority, is just as secure encryption wise but there is no validation by a trusted authority that the site is not a copy/clone/spoof as anyone can make a self signed certificate.

Man in The Middle (MiTM) proxies such as Fiddler use self signed certificates. You could of course choose to trust Fiddler Certs, but you would be potentially trusting other people's Fiddler Certs with no recognized trust authority.

Yes, browsing through Fiddler works fine, until it doesn't. (MiTM)

user10216038
  • 7,552
  • 2
  • 16
  • 19
  • It is therefore a MiTM attack that I risk by trusting a self-signed certificate like those of Fiddler. In this case, is it a solution to configure Fiddler to use a certificate that I own, this one being purchased and generated by a trusted authority? As this link shows for example: https://docs.telerik.com/fiddlercore/basic-usage/use-custom-root-certificate In this scenario, the Fiddler proxy would analyze and decrypt the HTTPS traffic from my local machine, but using a trusted custom certificate. I suppose there is therefore no more risk in this case? Or do you see something else? – Marc Alves Jul 13 '21 at 07:55
  • @Marc Alves - I don't know if Fiddler supports using an external certificate, I know ZAP doesn't, or didn't last I looked. Even if you can, you risk a reverse issue. Corporate MiTM devices like *Bluecoat* do this with a corporate trusted cert. I've seen where going through *Bluecoat* to a web site with a *self-signed* certificate is not flagged by the browser as a potential security risk because all it saw was the trusted *Bluecoat* certificate. In many ways this is even worse because any old self-signed cert becomes blindly accepted. – user10216038 Jul 13 '21 at 15:31
  • OK I think I understand what you are explaining here. This risk therefore corresponds to the one identified by @Anonymous in the above responses: "Not being notified of invalid / expired certificates while browsing websites" Is it correct? – Marc Alves Jul 14 '21 at 06:26
  • In this case, I will clarify the question, let's assume that "Fiddler" (or something similar) would be used with a valid external certificate that I own but that this proxy would analyze traffic only from a single "trusted" site, via a filter. Ex: www.security.stackexchange.com (this is an example). In this case, my external certificate will replace the StackExchange one (as shown on my screenshots), but all other sites will continue to display their original certificate. In this scenario, is there still a high risk or is it acceptable ? (Even if it's not doable by Fiddler itself...) – Marc Alves Jul 14 '21 at 06:32
  • @Marc Alves - "*... via a filter ... all other sites will continue to display their original certificate*". I don't think I understand? It sounds like normal use, as in only as needed? – user10216038 Jul 14 '21 at 14:02
  • I mean the proxy and therefore the certificate "overloaded" will only apply for a given site. For others ones, the proxy will let traffic pass without decrypting HTTPS. So, browser level we will not see the custom certificate but the official one of the site. As shown in my screenshot. In short, if we had a proxy that analyzes the HTTPS traffic of only one site using a valid custom certificate that belongs to me. Do we remain in a condition that is too risky? Since the other sites would not be impacted. – Marc Alves Jul 14 '21 at 14:38
  • 1
    @Marc Alves - No I don't see significant risk as I interpret that as normal use with the difference of using a custom certificate instead of a generated self-signed one. Again, I'm not aware that custom certificate insertion is supported by Fiddler. – user10216038 Jul 14 '21 at 21:17