Why can Fiddler decrypt HTTPS packets?

When Fiddler is installed on a computer, it will specifically ask the user: "Do you mind if I install my self-signed certificate on the computer?"

If you answer: "No, please stop!". Fiddler will prompt you: "Then I can do nothing!". If you want Fiddler to help you debug the HTTP code running on the SSL/TLS encryption layer, you have to allow him to install the certificate. So your answer is "OK, please continue!" So Fiddler installed his certificate on the user's computer and was trusted by the operating system/browser. In theory, as long as any https connection sent from the browser is hijacked by Fiddler, the certificate issued by Fiddler to the browser is trusted by the browser. Fiddler is understandable as a tool to assist developers in debugging code. But once the test is complete, you still need to uninstall the installed certificate, because the "trusted certificate" is a double-edged sword, which can help you and may also bring you hidden security risks.

If you download the Fiddler software from the Internet, if it is the original signature of the manufacturer, the operating system will help you verify whether the signature is legal during installation. If it is legal, at least it indicates that this is the original version of the manufacturer, and there is no third-party modification. You can rest assured that a tempered company, for the sake of its own reputation, will not do something bad for the users. But if the signature is not legal, would you click Next? Usually, because you think this is a big deal. So the security risk comes, this software may be manipulated by a third party, the installed certificate may also be a third-party certificate, and the private key of the certificate is in the hands of the third party. The user's Https traffic will be hijacked by a third party. You will be surprised to find that there are even advertisement pop-up pages on your Https web page.

The best way to protect yourself is to delete all certificates from unknown sources and keep only the root certificate that comes with the system! If there is no problem with the TLS security certification link, the current version of TLS1.2 is still very safe, and there is no bad guy to try to brute force the user's HTTPS encrypted traffic and crack the randomly distributed 128-bit encryption key, which is almost a An impossible task.

But the security level of a security program is not determined by the safest part, but by the weakest link. This weak link is certification! Authentication is not a problem for mobile apps, because apps have embedded their own trusted certificates in advance, and others are not trusted. It is harder to deceive apps than to go to the sky! But for the client of the browser, in order to maintain maximum access to the Internet, it is impossible to use a whitelist to filter the server's certificate. This is currently the biggest security risk of TLS!

The above is the news sharing from the PASSHOT. I hope it can be inspired you. If you think today' s content is not too bad, you are welcome to share it with other friends. There are more latest Linux dumps, CCNA 200-301 dumps, CCNP Written dumps and CCIE Written dumps waiting for you.