问题描述

我刚才在这里询问了如何隐藏我的http请求电话，并使其在我的应用程序中更安全。我不想让人们使用fiddler 2来看电话，并设置一个自动回复。每个人都告诉我去SSL，电话会被隐藏，信息保密。

I asked a question here a while back on how to hide my http request calls and make them more secure in my application. I did not want people to use fiddler 2 to see the call and set up an auto responder. Everyone told me to go SSL and calls will be hidden and information kept safe.

我购买并安装了一个SSL证书，并且设置了一切。我启动了fiddler 2，并运行了连接到https Web服务以及连接到https php脚本的测试应用程序。

I bought and installed an SSL Certificate and got everything set up. I booted up fiddler 2 and ran a test application that connect to an https web service as well as connected to an https php script.

Fiddler 2不仅可以检测两个请求，但也解密他们！我能够看到所有的信息回溯到第四，这让我来了解我的问题。

Fiddler 2 was able to not only detect both requests, but decrypt them as well! I was able to see all information going back and fourth, which brings me to my question.

如果SSL对安全性造成零差异，那么SSL有什么意义。有或没有SSL我可以看到所有的信息回来和第四，STILL设置一个自动回复。

What is the point of having SSL if it made zero difference to security. With or without SSL I can see all information going back and fourth and STILL set up an auto responder.

有没有在.NET中我没有更好地隐藏我的电话通过SSL？

Is there something in .NET I am missing to better hide my calls going over SSL?

编辑

我为此添加了新的部分由于我收到的一些答复的问题。如果应用程序连接到Web服务登录，该怎么办？该应用程序向Web服务发送用户名和密码。然后，Web服务器将数据发回给应用程序，说明良好的登录数据或不良。即使使用SSL，使用提示2的人也可以设置一个自动应答器，然后应用程序破解。我了解如何在调试中查看数据是有用的，但是我的问题是，应该怎么做才能确保SSL连接到正在请求的数据。基本上说不能有一个中间人。

I am adding a new part to this question due to some of the responses I have received. What if an app connects to a web service to login. The app sends the web service a username and a password. The web service then sends data back to the app saying good login data or bad. Even if going over SSL the person using fiddler 2 could just set up an auto responder and the application is then "cracked". I understand how it could be useful to see the data in debugging, but my question is what exactly should one do to make sure the SSL is connecting to the one it was requesting. Basically saying there cannot be a middle man.

推荐答案

这里介绍：

本质上您手动信任Fiddler提供的任何证书，如果您手动接受来自随机人员的证书，则也是如此不符合域名。

Essentially you manually trust whatever certificate Fiddler provides, the same will be true if you manually accept certificate from random person that does not match domain name.

编辑：
有办法防止Fiddler /中间人攻击 - 即在自定义应用程序使用SSL可以要求特定的证书用于通信。在浏览器的情况下，他们有UI通知用户证书不匹配，但最终允许这种通信。

There are ways to prevent Fiddler/man-in-the-middle attack - i.e. in custom application using SSL one can require particular certificates to be used for communication. In case of browsers they have UI to notify user of certificate mismatch, but eventually allow such communication.

作为公开可用的显式证书样本，您可以尝试使用Azure服务（即使用Azure的PowerShell工具），并使用Fiddler嗅探流量。由于明确的证书要求，它失败。

As an publicly available sample for explicit certificates you can try to use Azure services (i.e. with PowerShell tools for Azure) and sniff traffic with Fiddler. It fails due to explicit cert requirement.

这篇关于如果fiddler 2可以通过HTTPS解密所有呼叫，SSL是什么意思？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！