通信安全:Fiddler拦截我的谈话。我如何保护我的应用程序? [英] Communication security: Fiddler intercepts my talks. How can I secure my app?
问题描述
我构建了一个GData应用,并发送了我的Google凭据以使用我的帐户。
现在我可以检测出假证书了在使用与否。这不仅仅是保护我的密码,我的所有SSL通信都可见,包括其他敏感数据。
两端的SSL匹配
MITM可疑!
当然,假SSL可能包含匹配的字符串,因此我应该比较两个证书文件以确保它们是相同的。或者更好的方法是简单地用两个证书加密测试字符串并比较结果......
I built a GData app and I send my Google credentials to use my account. Fiddler can easily intercepts my communication and reveals username & password.
Is there any way to prevent prying eyes? Someone can easily reveals my password if not...
POST https://www.google.com/accounts/ClientLogin HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: www.google.com
Content-Length: 109
Expect: 100-continue
Connection: Keep-Alive
Email=xxxxxxxxxx%40gmail.com&Passwd=veryhigh-secure-ultra-strenght-passord-is-this-HHDGdgddhdyhghdeeehdeg^3h37373dE^^^+--XXXxxx123123h37ddg3g36dhjfhfg6373udbgd634t&source=database&service=writely&accountType=HOSTED_OR_GOOGLE
ADDITION: We know Google Docs's public SSL certificate. Can we check is it in use on client's pc or is there any fake one? Does it help?
Update & Conclusion:
Fiddler acts as man-in-the-middle and injects a fake root certificate in Windows' trusted root cert. store. Then generates fake certification for target site. Browser uses that fake certification -public key- & encrypts & sends data, to Fiddler's itself. Fiddler decrypts the data with fake root certification -private key-. And then use remote site's original certification & encrypts data & sends to target site. Repeats the same things in reverse to response browser.
I've simply asked for how to detect these fake certifications on another question. If I build a simple application with .NET, the application will rely & use Windows' "default/stored" certification for target site. If there is not, Fiddler will generate one on the fly.
So...
I do not rely the certificate on Windows' and get the authentic certificate directly from the target site/ or I have to include a valid certificate of target site in my app.
I have to modify the source code of Google Data API to use my included -authentic one- SSL certificate -a simple .crt file- on my https communications. So the data will be encrypted in my app and decrypted at target site only.
Securing memory -to make things harder- is the next step.
I've wrote these things as future reference for who will research same topics & to be approved by you.
Thanks.
Someone already mentioned about fake certificates:
Now I can detect a fake certificate is in use or not. It's not about only securing my password, my all SSL communication is visible including other sensitive data.
SSL match at both ends
MITM Suspect!
Of course, fake SSL might contain matching strings, so I should compare the both certificate files to ensure they are identical. Or better simply encrypt a test string with both certificates and compare the results...
这篇关于通信安全:Fiddler拦截我的谈话。我如何保护我的应用程序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
