如果 fiddler 2 可以通过 HTTPS 解密所有调用,那么 SSL 的意义何在? [英] What is point of SSL if fiddler 2 can decrypt all calls over HTTPS?
问题描述
不久前我在这里问了一个问题,关于如何隐藏我的 http 请求调用并使它们在我的应用程序中更安全.我不希望人们使用 fiddler 2 来查看电话并设置自动应答器.每个人都告诉我要使用 SSL,通话将被隐藏,信息将保持安全.
I asked a question here a while back on how to hide my http request calls and make them more secure in my application. I did not want people to use fiddler 2 to see the call and set up an auto responder. Everyone told me to go SSL and calls will be hidden and information kept safe.
我购买并安装了 SSL 证书并设置了所有内容.我启动了 fiddler 2 并运行了一个连接到 https Web 服务以及连接到 https php 脚本的测试应用程序.
I bought and installed an SSL Certificate and got everything set up. I booted up fiddler 2 and ran a test application that connect to an https web service as well as connected to an https php script.
Fiddler 2 不仅能够检测到这两个请求,还能解密它们!我能够看到所有信息倒退和第四,这让我想到了我的问题.
Fiddler 2 was able to not only detect both requests, but decrypt them as well! I was able to see all information going back and fourth, which brings me to my question.
如果 SSL 对安全性的影响为零,那么拥有 SSL 的意义何在.无论是否使用 SSL,我都可以查看所有信息,并且仍然设置了自动回复器.
What is the point of having SSL if it made zero difference to security. With or without SSL I can see all information going back and fourth and STILL set up an auto responder.
.NET 中是否有我遗漏的东西可以更好地隐藏我通过 SSL 的调用?
Is there something in .NET I am missing to better hide my calls going over SSL?
编辑
由于我收到了一些回复,我正在为此问题添加一个新部分.如果应用程序连接到 Web 服务进行登录会怎样.该应用程序向 Web 服务发送用户名和密码.然后 Web 服务将数据发送回应用程序,说明登录数据的好坏.即使通过 SSL,使用 fiddler 2 的人也可以只设置一个自动响应器,然后应用程序就会破解".我明白在调试中查看数据有什么用,但我的问题是究竟应该怎么做才能确保 SSL 连接到它请求的那个.基本上是说不能有中间人.
I am adding a new part to this question due to some of the responses I have received. What if an app connects to a web service to login. The app sends the web service a username and a password. The web service then sends data back to the app saying good login data or bad. Even if going over SSL the person using fiddler 2 could just set up an auto responder and the application is then "cracked". I understand how it could be useful to see the data in debugging, but my question is what exactly should one do to make sure the SSL is connecting to the one it was requesting. Basically saying there cannot be a middle man.
推荐答案
这里有介绍:http://www.fiddlerbook.com/fiddler/help/httpsdecryption.asp
Fiddler2 依赖于中间人"HTTPS拦截的方法.对于您的网络浏览器,Fiddler2 声称是安全的网络服务器,而对于网络服务器,Fiddler2 模仿网络浏览器.Fiddler2为了伪装成Web服务器,动态生成HTTPS证书.
Fiddler2 relies on a "man-in-the-middle" approach to HTTPS interception. To your web browser, Fiddler2 claims to be the secure web server, and to the web server, Fiddler2 mimics the web browser. In order to pretend to be the web server, Fiddler2 dynamically generates a HTTPS certificate.
本质上,您手动信任 Fiddler 提供的任何证书,如果您手动接受来自不匹配域名的随机人的证书,情况也是如此.
Essentially, you manually trust whatever certificate Fiddler provides, the same will be true if you manually accept certificate from random person that does not match domain name.
有多种方法可以防止 Fiddler/中间人攻击 - 即在自定义应用程序中,使用 SSL,可以要求使用特定证书进行通信.对于浏览器,它们有 UI 来通知用户证书不匹配,但最终允许此类通信.
There are ways to prevent Fiddler/man-in-the-middle attack - i.e. in custom application, using SSL, one can require particular certificates to be used for communication. In case of browsers, they have UI to notify user of certificate mismatch, but eventually allow such communication.
作为显式证书的公开示例,您可以尝试使用 Azure 服务(即使用 Azure 的 PowerShell 工具)并使用 Fiddler 嗅探流量.由于明确的证书要求而失败.
As a publicly available sample for explicit certificates, you can try to use Azure services (i.e. with PowerShell tools for Azure) and sniff traffic with Fiddler. It fails due to explicit cert requirement.
这篇关于如果 fiddler 2 可以通过 HTTPS 解密所有调用,那么 SSL 的意义何在?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
