I built a GData app and I send my Google credentials to use my account. <a href="http://fiddler2.com" rel="nofollow noreferrer">Fiddler</a> can easily intercepts my communication and reveals username & password.
Is there any way to prevent prying eyes? Someone can easily reveals my password if not...
POST https://www.google.com/accounts/ClientLogin HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: www.google.com Content-Length: 109 Expect: 100-continue Connection: Keep-Alive Email=xxxxxxxxxx%40gmail.com&Passwd=veryhigh-secure-ultra-strenght-passord-is-this-HHDGdgddhdyhghdeeehdeg^3h37373dE^^^+--XXXxxx123123h37ddg3g36dhjfhfg6373udbgd634t&source=database&service=writely&accountType=HOSTED_OR_GOOGLE
<strong>ADDITION:</strong> We know Google Docs's public SSL certificate. Can we check is it in use on client's pc or is there any fake one? Does it help?
<img alt="enter image description here" class="b-lazy" data-src="https://i.stack.imgur.com/IqWed.png" data-original="https://i.stack.imgur.com/IqWed.png" src="https://etrip.eimg.top/images/2019/05/07/timg.gif" />
<strong>Update & Conclusion:</strong>
Fiddler acts as man-in-the-middle and injects a fake root certificate in Windows' trusted root cert. store. Then generates fake certification for target site. Browser uses that fake certification -public key- & encrypts & sends data, to Fiddler's itself. Fiddler decrypts the data with fake root certification -private key-. And then use remote site's original certification & encrypts data & sends to target site. Repeats the same things in reverse to response browser.
I've simply asked for how to detect these fake certifications on another question. If I build a simple application with .NET, the application will rely & use Windows' "default/stored" certification for target site. If there is not, Fiddler will generate one on the fly.
I do not rely the certificate on Windows' and get the authentic certificate directly from the target site/ or I have to include a valid certificate of target site in my app.</li> <li>
I have to modify the source code of Google Data API to use my included -authentic one- SSL certificate -a simple .crt file- on my https communications. So the data will be encrypted in my app and decrypted at target site only.</li> <li>
Securing memory -to make things harder- is the next step.</li> </ol>
I've wrote these things as future reference for who will research same topics & to be approved by you.
Someone already mentioned about fake certificates:<ol><li><a href="http://drdobbs.com/184416896" rel="nofollow">Detecting Man in the Middle Attacks with DNS By Jason Coombs, December 18, 2003</a></li> </ol>Answer1:
The reason Fiddler can reveal your password is because it is acting as a HTTPS proxy. It acts as a man-in-the-middle; decrypting your secure traffic on the client side and re-encrypting it before sending it on to the target server. This all happens before your secure traffic leaves your system. Once it leaves your computer the data is encrypted.
As long as you are confident that your computer is secure from malware and other software like that, then you should consider the HTTPS traffic secure and encrypted and safe from snooping.
Did you install the fiddler root CA? if you did, then your system trusts the certificate issued by the fiddler software in the same way as it would trust certificates issued by Verisign or other trusted authorities.
You have to go to effort to <a href="http://blog.jameshiggs.com/2008/05/01/c-how-to-accept-an-invalid-ssl-certificate-programmatically/" rel="nofollow">accept an untrusted certificate</a> in most programming environments, so it should have failed the check at that point, before sending the traffic to the server.
<strong>EDIT:</strong> If you're attempting to secure access to a GData store, then you should read the <a href="http://code.google.com/apis/gdata/docs/auth/overview.html" rel="nofollow">Authentication and Authorization documentation</a> WRT to this. Yes, it's a pain in the ass, but this is a way to secure the data without revealing your user account information at the client-app level.Answer2:
you can hide the traffic going out from your app with this simple code:
request.Proxy = null;
however, this works with fiddler only. I don't know if it works with other traffic-monitoring softwares....Answer3:
Now I can detect a fake certificate is in use or not. It's not about only securing my password, my all SSL communication is visible including other sensitive data.<blockquote>
<strong>SSL match at both ends</strong></blockquote>
<img alt="SSL match at both ends" class="b-lazy" data-src="https://i.stack.imgur.com/739Ky.png" data-original="https://i.stack.imgur.com/739Ky.png" src="https://etrip.eimg.top/images/2019/05/07/timg.gif" /><blockquote>
<img alt="MITM Suspect!" class="b-lazy" data-src="https://i.stack.imgur.com/Ng4Di.png" data-original="https://i.stack.imgur.com/Ng4Di.png" src="https://etrip.eimg.top/images/2019/05/07/timg.gif" /><hr />
Of course, fake SSL might contain matching strings, so I should compare the both certificate files to ensure they are identical. Or better simply encrypt a test string with both certificates and compare the results...