Communication security: Fiddler intercepts my talks. How can I secure my app?

1
votes

I built a GData app and I send my Google credentials to use my account. Fiddler can easily intercepts my communication and reveals username & password.

Is there any way to prevent prying eyes? Someone can easily reveals my password if not...

POST https://www.google.com/accounts/ClientLogin HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: www.google.com
Content-Length: 109
Expect: 100-continue
Connection: Keep-Alive

Email=xxxxxxxxxx%40gmail.com&Passwd=veryhigh-secure-ultra-strenght-passord-is-this-HHDGdgddhdyhghdeeehdeg^3h37373dE^^^+--XXXxxx123123h37ddg3g36dhjfhfg6373udbgd634t&source=database&service=writely&accountType=HOSTED_OR_GOOGLE

ADDITION: We know Google Docs's public SSL certificate. Can we check is it in use on client's pc or is there any fake one? Does it help?

enter image description here

Update & Conclusion:

Fiddler acts as man-in-the-middle and injects a fake root certificate in Windows' trusted root cert. store. Then generates fake certification for target site. Browser uses that fake certification -public key- & encrypts & sends data, to Fiddler's itself. Fiddler decrypts the data with fake root certification -private key-. And then use remote site's original certification & encrypts data & sends to target site. Repeats the same things in reverse to response browser.

I've simply asked for how to detect these fake certifications on another question. If I build a simple application with .NET, the application will rely & use Windows' "default/stored" certification for target site. If there is not, Fiddler will generate one on the fly.

So...

  1. I do not rely the certificate on Windows' and get the authentic certificate directly from the target site/ or I have to include a valid certificate of target site in my app.

  2. I have to modify the source code of Google Data API to use my included -authentic one- SSL certificate -a simple .crt file- on my https communications. So the data will be encrypted in my app and decrypted at target site only.

  3. Securing memory -to make things harder- is the next step.

I've wrote these things as future reference for who will research same topics & to be approved by you.

Thanks.

Someone already mentioned about fake certificates:

  1. Detecting Man in the Middle Attacks with DNS By Jason Coombs, December 18, 2003
3
c#securityhttpsfiddler
That's a really poor password.Rawling
Can I force my app/Google API to ignore/not allow any un-trusted certificate?Nime Cloud
Ok guys, I fixed the password. Now what?Nime Cloud
As noted below, there's no threat from a network-based attacker, so building in protection like this isn't generally useful. You should also keep in mind that there's nothing practical you can do to prevent the user from changing your running code in memory to accept whatever interception certificate they are using.EricLaw
I made the things as hard as possible, used obfuscated multithreaded code with timers and a few randomized code flow. I think it's quite boring job to crack my app for nothing.I also removed user/pass pair now I use public shared spreadsheet with encrypted data. It's enough to me. Neither I'm Microsoft nor I built Windows 8.Nime Cloud

3 Answers

6
votes

The reason Fiddler can reveal your password is because it is acting as a HTTPS proxy. It acts as a man-in-the-middle; decrypting your secure traffic on the client side and re-encrypting it before sending it on to the target server. This all happens before your secure traffic leaves your system. Once it leaves your computer the data is encrypted.

As long as you are confident that your computer is secure from malware and other software like that, then you should consider the HTTPS traffic secure and encrypted and safe from snooping.

Did you install the fiddler root CA? if you did, then your system trusts the certificate issued by the fiddler software in the same way as it would trust certificates issued by Verisign or other trusted authorities.

You have to go to effort to accept an untrusted certificate in most programming environments, so it should have failed the check at that point, before sending the traffic to the server.

EDIT: If you're attempting to secure access to a GData store, then you should read the Authentication and Authorization documentation WRT to this. Yes, it's a pain in the ass, but this is a way to secure the data without revealing your user account information at the client-app level.

2
votes

you can hide the traffic going out from your app with this simple code:

request.Proxy = null;

however, this works with fiddler only. I don't know if it works with other traffic-monitoring softwares....

0
votes

Now I can detect a fake certificate is in use or not. It's not about only securing my password, my all SSL communication is visible including other sensitive data.

SSL match at both ends

SSL match at both ends

MITM Suspect!

MITM Suspect!

Of course, fake SSL might contain matching strings, so I should compare the both certificate files to ensure they are identical. Or better simply encrypt a test string with both certificates and compare the results...