I recently tried to use Fiddler2 from a third-party vendor Telerik. While decrypting the HTTPS traffic of my network, it asked me to install its own root certificate in my Windows operating system:
Take a look at the below screenshot:
Is it safe to trust these kind of root certificates? What are the preventive measures to be taken when installing such root certificates?
It's safe as long as you understand the implications.
Fiddler acts as a proxy / man in the middle to intercept and decrypt traffic between you and the target.
For SSL sites, it does this by dynamically generating an SSL certificate with the name of the target. The problem is that your browser will not trust certificates issued by Fiddler, hence the suggestion to install the Fiddler Root certificate.
The reason this could be bad is that if a malicious user generates an SSL certificate signed by the Fiddler root for a site like...let's say....www.bankofamerica.com - your browser will automatically trust the "fake" certificate.
The way that I understand that Fiddler (And similar proxyies such as Burp or OWASP ZAP) work is that each installation generates a unique root certificate which it then uses to generate certificates on the fly when you have it assigned as a proxy, so you can intercept and modify traffic flowing over this connection (the purpose of the software).
As the root cert. generated is unique per installation, the only way that someone could misuse this would be to get a copy of it and then use that to create a certificate which your machine would trust. To do this they would need authenticated access to your PC to get access to the cert.
So if you have the risk of attackers who can get authenticated access to your machine then you may not want to trust this root. But then if they have that access your security against those attackers is in a pretty bad place anyway.
In general I trust the root certs generated by my proxy tool of use, as it makes it much more useful to me.
The "DO NOT TRUST" is actually in the certificate itself as created by Fiddler. Fiddler is able to interpret HTTPS connections by acting as an HTTPS proxy. When you connect to a site via HTTPS, Fiddler produces a certificate that claims to be from that site and then accesses the real site. This way Fiddler can see the traffic, but your browser still acts like things are normal.
The problem with trusting it is that the private key for that root certificate is made by the Fiddler executable and isn't particularly well secured. If you trust it as a root certificate, then anyone that gets access to that key can convince your computer that any site they want is a valid site.
A third party certificate is not inherently any more or less secure than any CA cert that comes installed with your browser or OS. All that matters is the security of the private key for that root authority and what policies that root authority has for signing certificates. By trusting a root certificate, you are trusting that everyone with access to the corresponding private key is worth trusting to decide if the website you are accessing is valid.
With a relatively unprotected private key, like Fiddler's, this is never the case, hence Fiddler's warning.
