Does Fiddler create private root certificates uniquely per machine?

4
votes

When using Fiddler, it asks for installing a root certificate which automatically decrypts SSL traffic. But also it informs that the user shouldn't install it unless it's a test system.

My understanding is because Fiddler's using the same private key in every computer an attacker can get this private key and do a real MITM and user wouldn't know because the computer is trusting Fiddler's root.

However this line in Fiddler's website contradict's with my theory of shared private keys:

If the client computer itself previously had run Fiddler in HTTPS-decryption mode, all attempts to visit HTTPS pages secured by the other computer's version of Fiddler will fail with an unspecified certificate problem. To resolve this, remove the Fiddler root certificate that is in the client's certificate store. (The mismatched root certificate causes the problem, as every Fiddler instance generates its own unique root).

My question is; Why Fiddler is not creating a private key per machine basis so it would be safe. If Fiddler is already doing this, why tell users to do not install it unless it's a test system?

Just to be clear I'm talking about this warning: enter image description here

1
securitydebugginghttpproxyfiddler
@Eric, is that mean it actually safe but you just put it to make lawyers happy? Is that implemented as I wrote (different private keys in different computers?) If so we'll install it in many places without worry if not then I hope we can find a way to address it make it secure.dr. evil
Every Fiddler root certificate has a unique private key on only that machine.EricLaw
Thanks Eric, I recently confirmed that as well checking how the cert generated in the first place by using makecert, thanks for the clarifitcation.dr. evil
What this certificate gives the person who generates it in terms of accessibility on my machine?Maystro

1 Answers

5
votes

Q: Does Fiddler create private root certificates uniquely per machine?

A: Yes, of course. http://www.telerik.com/blogs/faq---certificates-in-fiddler

What’s the Risk?

Many security folks are worried that, if a user configures Windows to trust Fiddler’s root certificate, that user could have their traffic intercepted and decrypted by any other Fiddler user. They assume that Fiddler is sharing the same root certificate across all installations.

Fear not! Every Fiddler root certificate is uniquely generated, per user, per machine. No two Fiddler installations have the same root certificate. The only way for a Fiddler user to be “spoofed” by a bad guy is if that bad guy already is running code inside the user’s account (which means you’d already be pwned anyway).