442

Communication security: Fiddler intercepts my talks. How can I secure my app?

Question:

I built a GData app and I send my Google credentials to use my account. <a href="http://fiddler2.com" rel="nofollow noreferrer">Fiddler</a> can easily intercepts my communication and reveals username & password.

Is there any way to prevent prying eyes? Someone can easily reveals my password if not...

POST https://www.google.com/accounts/ClientLogin HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: www.google.com Content-Length: 109 Expect: 100-continue Connection: Keep-Alive Email=xxxxxxxxxx%40gmail.com&Passwd=veryhigh-secure-ultra-strenght-passord-is-this-HHDGdgddhdyhghdeeehdeg^3h37373dE^^^+--XXXxxx123123h37ddg3g36dhjfhfg6373udbgd634t&source=database&service=writely&accountType=HOSTED_OR_GOOGLE

<strong>ADDITION:</strong> We know Google Docs's public SSL certificate. Can we check is it in use on client's pc or is there any fake one? Does it help?

<img alt="enter image description here" class="b-lazy" data-src="https://i.stack.imgur.com/IqWed.png" data-original="https://i.stack.imgur.com/IqWed.png" src="https://etrip.eimg.top/images/2019/05/07/timg.gif" />

<strong>Update & Conclusion:</strong>

Fiddler acts as man-in-the-middle and injects a fake root certificate in Windows' trusted root cert. store. Then generates fake certification for target site. Browser uses that fake certification -public key- & encrypts & sends data, to Fiddler's itself. Fiddler decrypts the data with fake root certification -private key-. And then use remote site's original certification & encrypts data & sends to target site. Repeats the same things in reverse to response browser.

I've simply asked for how to detect these fake certifications on another question. If I build a simple application with .NET, the application will rely & use Windows' "default/stored" certification for target site. If there is not, Fiddler will generate one on the fly.

So...

<ol><li>

I do not rely the certificate on Windows' and get the authentic certificate directly from the target site/ or I have to include a valid certificate of target site in my app.

</li> <li>

I have to modify the source code of Google Data API to use my included -authentic one- SSL certificate -a simple .crt file- on my https communications. So the data will be encrypted in my app and decrypted at target site only.

</li> <li>

Securing memory -to make things harder- is the next step.

</li> </ol>

I've wrote these things as future reference for who will research same topics & to be approved by you.

Thanks.

Someone already mentioned about fake certificates:

<ol><li><a href="http://drdobbs.com/184416896" rel="nofollow">Detecting Man in the Middle Attacks with DNS By Jason Coombs, December 18, 2003</a></li> </ol>

Answer1:

The reason Fiddler can reveal your password is because it is acting as a HTTPS proxy. It acts as a man-in-the-middle; decrypting your secure traffic on the client side and re-encrypting it before sending it on to the target server. This all happens before your secure traffic leaves your system. Once it leaves your computer the data is encrypted.

As long as you are confident that your computer is secure from malware and other software like that, then you should consider the HTTPS traffic secure and encrypted and safe from snooping.

Did you install the fiddler root CA? if you did, then your system trusts the certificate issued by the fiddler software in the same way as it would trust certificates issued by Verisign or other trusted authorities.

You have to go to effort to <a href="http://blog.jameshiggs.com/2008/05/01/c-how-to-accept-an-invalid-ssl-certificate-programmatically/" rel="nofollow">accept an untrusted certificate</a> in most programming environments, so it should have failed the check at that point, before sending the traffic to the server.

<strong>EDIT:</strong> If you're attempting to secure access to a GData store, then you should read the <a href="http://code.google.com/apis/gdata/docs/auth/overview.html" rel="nofollow">Authentication and Authorization documentation</a> WRT to this. Yes, it's a pain in the ass, but this is a way to secure the data without revealing your user account information at the client-app level.

Answer2:

you can hide the traffic going out from your app with this simple code:

request.Proxy = null;

however, this works with fiddler only. I don't know if it works with other traffic-monitoring softwares....

Answer3:

Now I can detect a fake certificate is in use or not. It's not about only securing my password, my all SSL communication is visible including other sensitive data.

<blockquote>

<strong>SSL match at both ends</strong>

</blockquote>

<img alt="SSL match at both ends" class="b-lazy" data-src="https://i.stack.imgur.com/739Ky.png" data-original="https://i.stack.imgur.com/739Ky.png" src="https://etrip.eimg.top/images/2019/05/07/timg.gif" />

<blockquote>

<strong>MITM Suspect!</strong>

</blockquote>

<img alt="MITM Suspect!" class="b-lazy" data-src="https://i.stack.imgur.com/Ng4Di.png" data-original="https://i.stack.imgur.com/Ng4Di.png" src="https://etrip.eimg.top/images/2019/05/07/timg.gif" />

<hr />

Of course, fake SSL might contain matching strings, so I should compare the both certificate files to ensure they are identical. Or better simply encrypt a test string with both certificates and compare the results...

Recommend

  • How to use Sass Eyeglass with Webpack?
  • Extending Ionic2 and injecting ModalController
  • How to debug a hanging action
  • How can I run a macro as a workbook opens for the first time only?
  • SSL error RemoteCertificateNameMismatch
  • Securing web server against MITM attack in Safari
  • Non-wildcard certificates with dynamic apache vhosts
  • WCF error “The X.509 certificate chain building failed” despite trusted root CA
  • HTTPS + gzip: Is it a security vulnerability if I only gzip non-sensitive files?
  • Centering a specific element among others with flexbox [duplicate]
  • Asking SslStream to accept ONLY a certificate signed by a particular public key
  • Is there a way to pivot a customer ID and a their most recent order dates?
  • GeoTrust SSL certificate on Android not trusted
  • Command line installation of Code Signing certificates, .p12 files, and mobileprovisions
  • what makes a request a new request in asp.net C#
  • During installation of Django, why do I keep getting ImportError: No module named django?
  • pillow imaging ImportError
  • Position: fixed nav does not stay fixed
  • JBoss External Properties Files in Classpath
  • System.InvalidCastException: Specified cast is not valid
  • Debug.DrawLine not showing in the GameView
  • htaccess add www if not subdomain, if subdomain remove www
  • Read a local file using javascript
  • All Classes Conforming to Protocol Inherit Default Implementation
  • Why value captured by reference in lambda is broken? [duplicate]
  • How do I change content of ComboFieldEditor?
  • Jenkins: How To Build multiple projects from a TFS repository?
  • Apache 2.4 and php-fpm does not trigger apache http basic auth for php pages
  • Sony Xperia Z Tablet not found by adb
  • Javascript convert timezone issue
  • Why is the timeout on a windows udp receive socket always 500ms longer than set by SO_RCVTIMEO?
  • Weird JavaScript statement, what does it mean?
  • Websockets service method fails during R startup
  • Do I've to free mysql result after storing it?
  • SQL merge duplicate rows and join values that are different
  • How do you join a server to an Active Directory (domain)?
  • Why joiner is not used after Sequence generator or Update statergy
  • Recursive/Hierarchical Query Using Postgres
  • How can i traverse a binary tree from right to left in java?
  • UserPrincipal.Current returns apppool on IIS