什么是点SSL如果提琴手2可以通过HTTPS所有通话解密? [英] What is point of SSL if fiddler 2 can decrypt all calls over HTTPS?
问题描述
我在这里问一个问题,而回如何隐藏我的http请求调用,使他们在我的应用程序更安全。我不希望人们用小提琴手2,看该呼叫并成立了一个自动回复。每个人都告诉我去SSL和通话将被隐藏,并保证信息的安全。
I asked a question here a while back on how to hide my http request calls and make them more secure in my application. I did not want people to use fiddler 2 to see the call and set up a auto responder. Everyone told me to go SSL and calls will be hidden and information kept safe.
我购买并安装了SSL证书,并把一切都成立。我启动了小提琴手2就跑连接到一个HTTPS Web服务以及连接到HTTPS PHP脚本测试应用程序。
I bought and installed a SSL Certificate and got everything set up. I booted up fiddler 2 and ran a test application that connect to a https web service as well as connected to a https php script.
提琴手2不仅能够检测两个请求,但解密他们以及!我能看到的所有信息回去和第四位。这使我的问题。
Fiddler 2 was able to not only detect both requests, but decrypt them as well! I was able to see all information going back and fourth. Which brings my question.
什么是具有SSL为它作了0安全上的差异点。带或不带SSL的,我可以看到所有的信息,回去和第四,仍然设置了自动回复。
What is the point of having SSL if it made 0 security differences. With or without SSL I can see all information going back and fourth and STILL set up a auto responder.
有什么在.net中我缺少更好地掩饰我的电话会通过SSL?
Is there something in .net I am missing to better hide my calls going over SSL?
修改
我加入一个新的部分对这个问题的一些我已经得到了反应。如果连接到Web服务的应用程序登录。该应用发送web服务一个用户名和密码。 Web服务,然后将数据发送回应用程序再别康桥登录数据还是坏。即使要通过SSL使用招2人可以只设立一个自动应答和应用程序,然后破解。我理解它是如何可能是有用的使用需要看到调试中的数据,但我的问题是什么人应该做的确保是SSL连接是一个有人请求。基本上说不能有一个中间人。
I am adding a new part to this question as of some of the response I have gotten. What if a app connected to a web service to login. The app sends the web service a username and a password. The web service then sends data back to the app saying good login data or bad. Even if going over SSL the person using fiddler 2 could just set up a auto responder and the application is then "cracked". I understand how it could be useful to use need to see the data in debugging, but my question is what exactly should one do make sure the SSL is connecting to is the one it was requesting. Basically saying there can not be a middle man.
推荐答案
这是这里介绍:<一href="http://www.fiddlerbook.com/fiddler/help/httpsdecryption.asp">http://www.fiddlerbook.com/fiddler/help/httpsdecryption.asp
Fiddler2依赖于人在这方面的中间人的方式来HTTPS拦截。到Web浏览器,Fiddler2声称自己是安全的Web服务器,以及Web服务器,Fiddler2模仿网页浏览器。为了pretend是Web服务器,Fiddler2动态生成HTTPS证书。
Fiddler2 relies on a "man-in-the-middle" approach to HTTPS interception. To your web browser, Fiddler2 claims to be the secure web server, and to the web server, Fiddler2 mimics the web browser. In order to pretend to be the web server, Fiddler2 dynamically generates a HTTPS certificate.
基本上你手动信任任何证书提琴手提供,同样也会如此,如果你手动接受素不相识的人的证书不匹配域名。
Essentially you manually trust whatever certificate Fiddler provides, the same will be true if you manually accept certificate from random person that does not match domain name.
编辑: 有办法prevent菲德勒/中间人攻击 - 即在自定义应用程序使用SSL可以要求特定的证书以用于通信。如果浏览器他们有UI通知证书不匹配的用户,但最终还是让这样的通信。
There are ways to prevent Fiddler/man-in-the-middle attack - i.e. in custom application using SSL one can require particular certificates to be used for communication. In case of browsers they have UI to notify user of certificate mismatch, but eventually allow such communication.
至于明确的证书,你可以尝试使用Azure的服务(如天青使用PowerShell工具)的可公开获得的样品和嗅探与小提琴手的流量。它没有因明确的证书要求。
As an publicly available sample for explicit certificates you can try to use Azure services (i.e. with PowerShell tools for Azure) and sniff traffic with Fiddler. It fails due to explicit cert requirement.
这篇关于什么是点SSL如果提琴手2可以通过HTTPS所有通话解密?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
